Version: 1.0
Last updated: 03/06/26
Provider: Stow Quill Ltd trading as House Desk
Company number: 15671718
Registered office: 47 Jerounds, Harlow, Essex, CM19 4HE
Email: support@bopple.co.uk
This Privacy Notice explains how House Desk collects, uses, stores and shares personal data when you use our platform, website, mobile application and related services.
House Desk Privacy Notice
This Privacy Notice explains how House Desk collects, uses, stores and shares personal data.
House Desk is workplace software used by pubs, bars, restaurants, venues, hospitality businesses and other organisations to manage rotas, clock-in and clock-out, timesheets, holidays, availability, tasks, training, documents, messages, staff records and other workplace operations.
Please read this notice carefully. It explains what personal data may be processed through House Desk, why it is used, who controls it, who it may be shared with, how long it may be kept, and what rights you may have.
1. Who we are
House Desk is operated by:
Stow Quill Ltd Trading as: House Desk Company number: 15671718 Registered office: 47 Jerounds, Harlow, Essex, CM19 4HE Email: privacy@bopple.co.uk
In this notice, House Desk, we, us and our mean Stow Quill Ltd trading as House Desk.
2. Who this Privacy Notice applies to
This Privacy Notice applies to:
- customer account owners;
- customer administrators;
- managers and supervisors;
- staff users;
- employees;
- workers;
- contractors;
- casual staff;
- agency staff;
- trial users;
- people who contact House Desk for support;
- people who visit our website;
- people who receive marketing or sales communications from us;
- and anyone else whose personal data we process.
3. Important: your employer or organisation may also control your data
If you use House Desk because your employer, manager, venue, company or organisation invited you, that organisation is usually the controller of most workplace data in House Desk.
This means your employer or organisation normally decides:
- what staff data is collected;
- why it is collected;
- how it is used;
- who can access it;
- how long it is kept;
- and how to respond to data rights requests.
House Desk usually acts as a processor for that workplace data. This means we process the data on behalf of your employer or organisation.
Your employer or organisation should also provide its own staff privacy notice explaining how it uses your personal data.
If you have questions about workplace records in House Desk, such as rota records, clock-in records, timesheets, holiday records, training records, documents, incident records or messages, you should usually contact your employer or organisation first.
4. When House Desk is controller
House Desk may act as controller for certain personal data we use for our own business purposes.
This may include:
- customer account owner details;
- billing contact details;
- sales enquiries;
- support tickets sent directly to House Desk;
- website analytics;
- marketing preferences;
- security logs used to protect our service;
- communications with customers and prospective customers;
- and records needed for legal, accounting, tax, fraud prevention, security or dispute purposes.
Where House Desk is controller, we are responsible for deciding how and why that data is used.
5. When House Desk is processor
House Desk usually acts as processor for workplace data entered into the platform by or on behalf of a customer.
This may include:
- staff profiles;
- rota records;
- shift records;
- clock-in and clock-out records;
- timesheets;
- holiday requests;
- availability records;
- shift swap records;
- training records;
- document records;
- policy acknowledgements;
- messages and comments;
- task records;
- opening and closing checklists;
- temperature logs;
- incident and accident reports;
- manager notes;
- payroll export data;
- audit logs;
- and other workplace records.
Where House Desk acts as processor, we process this data on the customer's instructions and in line with our contract and Data Processing Agreement.
6. Personal data we may collect
Depending on how House Desk is used, we may process the following types of personal data.
6.1 Account and identity data
- name;
- email address;
- phone number;
- username;
- profile photo;
- user ID;
- role or job title;
- workplace or venue;
- account permissions;
- manager or admin status;
- and account login details.
6.2 Employment and workplace data
- rota information;
- shift information;
- working hours;
- clock-in and clock-out records;
- timesheets;
- break records;
- holiday requests;
- availability;
- shift swap requests;
- absence information entered into the app;
- training records;
- document acknowledgements;
- tasks and checklist completion records;
- operational checks;
- manager approvals;
- and payroll export information.
6.3 Communication data
- messages sent through House Desk;
- comments;
- announcements;
- notifications;
- support requests;
- emails;
- in-app messages;
- and records of communications with House Desk.
6.4 Document and uploaded content data
- documents uploaded to House Desk;
- files;
- images;
- forms;
- policy acknowledgements;
- training materials;
- signed or accepted documents;
- incident forms;
- accident records;
- and other uploaded content.
6.5 Technical and device data
- IP address;
- device type;
- browser type;
- operating system;
- app version;
- login times;
- security logs;
- audit logs;
- error logs;
- cookie identifiers;
- and usage information.
6.6 Location and attendance verification data
House Desk may process location or attendance verification data if enabled by the customer.
This may include:
- location at the time of clock-in or clock-out;
- site-based attendance checks;
- IP address;
- device information;
- photo or image checks where enabled;
- time and date stamps;
- and audit logs.
These features are controlled by the customer or employer. They should explain how and why they use them.
6.7 Payment and billing data
For customer account owners or billing contacts, we may process:
- billing name;
- billing email;
- company name;
- billing address;
- subscription plan;
- payment status;
- invoice records;
- transaction references;
- and limited payment information.
Payment card details may be processed by a third-party payment provider. House Desk does not need to store full card details.
6.8 Marketing and sales data
- business contact details;
- enquiry details;
- demo requests;
- sales communication records;
- marketing preferences;
- campaign interaction data;
- and unsubscribe records.
7. Special category data and sensitive information
House Desk is not designed to routinely collect special category data.
Special category data includes information about health, race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for identification, sex life or sexual orientation.
However, customers or users may sometimes enter sensitive information into House Desk, for example in incident reports, accident reports, absence notes, documents, messages or support requests.
Customers are responsible for ensuring they have a lawful basis and any required additional condition for processing sensitive workplace data they enter into House Desk.
Users should avoid entering unnecessary sensitive information into House Desk.
8. Why personal data is used and lawful bases
The UK GDPR requires a lawful basis for processing personal data. The ICO explains that organisations must identify at least one lawful basis before processing personal information.
The lawful basis depends on the type of data and the purpose.
8.1 Providing the House Desk platform
- Data used: account data, login data, staff records, rota data, timesheet data, clock-in data, messages, documents, task records and other platform data.
- Purpose: to provide House Desk features to customers and users.
- Likely lawful basis: contract, legitimate interests, and/or legal obligation depending on the customer's use.
- Controller: usually the customer/employer for workplace data; House Desk for its own account administration data.
8.2 Managing rotas, shifts and workplace operations
- Data used: rota records, shift records, availability, holiday requests, role information, task records and operational records.
- Purpose: to help the customer manage staffing and workplace operations.
- Likely lawful basis: contract, legitimate interests and/or legal obligation.
- Controller: usually the customer/employer.
8.3 Recording clock-in, clock-out and timesheets
- Data used: attendance records, clock-in and clock-out times, timesheets, breaks, approvals, audit logs, and verification data where enabled.
- Purpose: to help the customer manage attendance, payroll preparation, staffing and record keeping.
- Likely lawful basis: contract, legitimate interests and/or legal obligation.
- Controller: usually the customer/employer.
8.4 Training, documents and policy acknowledgements
- Data used: training records, document views, acknowledgements, signatures, uploaded documents and completion records.
- Purpose: to help customers manage staff onboarding, training, policies and compliance.
- Likely lawful basis: contract, legitimate interests and/or legal obligation.
- Controller: usually the customer/employer.
8.5 Messages, updates and workplace communications
- Data used: messages, comments, announcements, notifications and related metadata.
- Purpose: to allow workplace communication through House Desk.
- Likely lawful basis: contract and/or legitimate interests.
- Controller: usually the customer/employer for workplace communications.
8.6 Tasks, checklists and operational checks
- Data used: task records, checklist responses, opening and closing checks, temperature logs, maintenance checks and audit logs.
- Purpose: to help customers manage workplace tasks, safety checks and operational records.
- Likely lawful basis: legitimate interests and/or legal obligation.
- Controller: usually the customer/employer.
8.7 Incident and accident records
- Data used: incident details, accident reports, names, dates, descriptions, witness details, manager notes and related documents.
- Purpose: to help customers record and manage workplace incidents, accidents and concerns.
- Likely lawful basis: legitimate interests, legal obligation, and where relevant special category conditions.
- Controller: usually the customer/employer.
8.8 Customer account management and billing
- Data used: customer admin contact details, billing details, plan details, payment status, invoices and account records.
- Purpose: to manage customer accounts, subscriptions, payments, invoices and service communications.
- Likely lawful basis: contract, legitimate interests and legal obligation.
- Controller: House Desk.
8.9 Support and troubleshooting
- Data used: support messages, contact details, account information, technical logs, screenshots or files provided to support.
- Purpose: to respond to support requests, fix problems, investigate errors and improve service reliability.
- Likely lawful basis: contract and legitimate interests.
- Controller: House Desk for support communications; customer/employer may remain controller for workplace data included in support requests.
8.10 Security, fraud prevention and abuse prevention
- Data used: login records, IP addresses, device data, audit logs, usage logs and security alerts.
- Purpose: to protect House Desk, prevent unauthorised access, detect misuse and maintain service security.
- Likely lawful basis: legitimate interests and legal obligation.
- Controller: House Desk and/or the customer depending on the context.
8.11 Service improvement and analytics
- Data used: usage information, error data, performance data, feature usage and aggregated analytics.
- Purpose: to understand how House Desk is used, improve features, fix bugs and develop the service.
- Likely lawful basis: legitimate interests and/or consent where required for cookies or similar technologies.
- Controller: House Desk.
8.12 Marketing
- Data used: business contact details, enquiry details, marketing preferences and communication history.
- Purpose: to send product updates, offers, newsletters or sales communications.
- Likely lawful basis: consent and/or legitimate interests depending on the communication and recipient.
- Controller: House Desk.
8.13 Legal, tax, accounting and dispute purposes
- Data used: account records, invoices, contracts, communications, logs and relevant evidence.
- Purpose: to comply with legal obligations, keep business records, enforce terms, resolve disputes and respond to legal claims.
- Likely lawful basis: legal obligation and legitimate interests.
- Controller: House Desk.
9. Where we get personal data from
We may receive personal data from:
- you directly;
- your employer or organisation;
- managers or administrators;
- other users in the same customer account;
- documents or forms uploaded to House Desk;
- devices and browsers used to access House Desk;
- payment providers;
- support communications;
- website forms;
- and third-party services connected to House Desk.
If you are a staff user, much of your workplace data may be provided by your employer, manager, administrator or other authorised users.
10. Who personal data may be shared with
Personal data may be shared with:
- the customer/employer that controls the relevant account;
- managers, supervisors and administrators within that customer account;
- other authorised users where the feature requires it;
- House Desk staff and contractors who need access to provide the service;
- hosting providers;
- database providers;
- email and notification providers;
- payment providers;
- analytics providers;
- support/helpdesk providers;
- professional advisers;
- insurers;
- regulators, courts, law enforcement or public authorities where required;
- and other service providers who help us operate House Desk.
We only share personal data where there is a lawful basis and a valid reason to do so. The ICO's data sharing guidance says organisations must identify a lawful basis before sharing personal data.
11. Subprocessors and service providers
House Desk may use subprocessors and service providers to operate the platform.
These may include providers for:
- cloud hosting;
- database storage;
- file storage;
- email delivery;
- SMS or push notifications;
- payments;
- analytics;
- error monitoring;
- customer support;
- security;
- and backups.
Where House Desk acts as processor, subprocessors are handled in accordance with the Data Processing Agreement with the customer.
A current list of key subprocessors (including hosting, authentication, payments, notifications and optional integrations) is available at: https://housedesk.co.uk/privacy/subprocessors
12. International transfers
Some service providers may process personal data outside the United Kingdom.
Where personal data is transferred internationally, we will use appropriate safeguards where required, such as:
- adequacy regulations;
- standard contractual clauses;
- the UK International Data Transfer Agreement;
- the UK Addendum to EU Standard Contractual Clauses;
- or another lawful transfer mechanism.
Customers should also check their own data protection obligations where they choose to connect House Desk with third-party systems.
13. How long personal data is kept
The UK GDPR does not set one fixed retention period for all personal data. The ICO says organisations must justify how long they keep personal data based on their purposes for processing.
Retention periods depend on the type of data and who controls it.
13.1 Customer-controlled workplace data
Where data is controlled by a customer/employer, the customer/employer decides how long it should be kept.
This may include rota records, clock-in and clock-out records, timesheets, holiday records, training records, documents, incident records, messages, task records, and other workplace records.
House Desk keeps this data in line with the customer's instructions, account settings, contract and Data Processing Agreement.
Further detail on typical retention periods for rota data, clock-in records, timesheets, payroll exports, training, incidents, deleted accounts and backups is set out in our Data Retention Policy: https://housedesk.co.uk/data-retention
13.2 House Desk account and billing records
We may keep account, subscription, invoice and billing records for as long as needed for accounting, tax, legal and dispute purposes.
13.3 Support records
We may keep support tickets and related communications for as long as needed to provide support, investigate issues, improve the service, maintain records and handle disputes.
13.4 Security logs
We may keep security, audit and technical logs for as long as needed to protect House Desk, investigate incidents, prevent misuse and maintain service reliability.
13.5 Marketing records
We keep marketing preferences and unsubscribe records to make sure we respect your choices.
13.6 Deleted accounts
When a customer account is deleted or closed, data may be deleted from active systems after a reasonable period, unless we need to retain it for legal, accounting, security, backup or dispute purposes.
Some data may remain in backups until those backups are overwritten or deleted through normal backup cycles. See our Data Retention Policy (https://housedesk.co.uk/data-retention) for more information.
14. Your data protection rights
Depending on the circumstances, you may have rights under data protection law, including:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object;
- rights relating to automated decision-making and profiling;
- and the right to withdraw consent where processing is based on consent.
Your rights may depend on the type of data, the lawful basis for processing and whether House Desk or your employer/organisation is the controller.
The ICO says privacy notices should include people's information rights and explain how they can complain if they have concerns.
15. How to make a data rights request
If your request relates to workplace data controlled by your employer or organisation, you should usually contact your employer or organisation directly.
This may include requests about rota records, clock-in and clock-out records, timesheets, holiday records, availability records, training records, documents, messages, incident reports, manager notes, and other staff records.
If you contact House Desk directly about customer-controlled workplace data, we may need to refer your request to the relevant employer or organisation.
If your request relates to data House Desk controls directly, such as support requests, billing contact information or marketing preferences, you can contact us at: privacy@bopple.co.uk
We may need to verify your identity before responding.
16. Deletion requests
You may ask for personal data to be deleted in certain circumstances.
However, deletion is not always available.
For workplace data controlled by your employer or organisation, your employer or organisation usually decides whether data can be deleted. They may need to keep some records for employment, payroll, tax, legal, health and safety, licensing, dispute or compliance reasons.
House Desk will not usually delete customer-controlled workplace data unless instructed by the customer/employer or required by law.
17. Correction requests
If you believe your personal data is inaccurate, you can ask for it to be corrected.
For workplace data, such as rota records, timesheets, clock-in records, holiday records or training records, you should usually contact your employer or manager.
If the inaccurate data is controlled by House Desk, such as your support contact details or marketing preferences, you can contact us directly.
18. Location and monitoring information
House Desk may include features that support attendance verification, audit logs, location-based clock-in checks, device checks, manager approvals and similar workplace controls.
These features are configured by the customer/employer.
Your employer or organisation is responsible for explaining whether these features are enabled, why they are used, what data is collected, who can see it, how long it is kept, and what rights you have.
House Desk provides the technical system but does not decide how your employer manages staff attendance or monitoring.
19. Automated decisions
House Desk may provide tools, alerts, reports, calculations, reminders or summaries.
Unless we tell you otherwise, House Desk does not make final employment decisions about you.
Your employer or organisation is responsible for employment decisions, such as rota allocation, pay, disciplinary action, performance decisions, absence management or staff management.
If your employer uses House Desk outputs to help make decisions about you, your employer should explain this in its own privacy information.
20. Cookies and similar technologies
Our website and platform may use cookies or similar technologies.
These may be used to:
- keep you logged in;
- remember preferences;
- secure the service;
- measure website performance;
- understand usage;
- improve the service;
- and support marketing where permitted.
Where required, we will ask for your consent before using non-essential cookies.
More information is available in our Cookie Policy: https://housedesk.co.uk/cookies
21. Security
We use reasonable technical and organisational measures designed to protect personal data.
These may include access controls, encryption, logging, backups, secure hosting, password protections, permission controls and monitoring.
However, no online service can be completely secure.
You should help keep your data secure by:
- using a strong password;
- not sharing your login details;
- logging out where appropriate;
- keeping devices secure;
- using multi-factor authentication where available;
- and telling your employer or House Desk if you think your account has been compromised.
22. Children
House Desk is designed for workplace use and is not intended for children.
Users should only access House Desk where they have been invited by a customer/employer or are authorised to use the platform.
Where a customer/employer lawfully employs or engages a young worker and creates an account for them, the customer/employer is responsible for ensuring appropriate privacy information and safeguards are provided.
23. Complaints
If you are unhappy with how your workplace data is used, you should usually contact your employer or organisation first, as they are normally the controller of that data.
If your complaint relates to data House Desk controls directly, you can contact us at: privacy@bopple.co.uk
You also have the right to complain to the Information Commissioner's Office.
ICO website: https://ico.org.uk ICO telephone: 0303 123 1113
24. Changes to this Privacy Notice
We may update this Privacy Notice from time to time.
If we make important changes, we may notify users by email, in-app notice or another suitable method.
The latest version will be available at: https://housedesk.co.uk/privacy
25. Contact details
For privacy questions relating to House Desk-controlled data, contact:
House Desk Privacy Team Stow Quill Ltd privacy@bopple.co.uk 47 Jerounds, Harlow, Essex, CM19 4HE
For workplace data held in your employer's House Desk account, you should usually contact your employer, manager or organisation first.