ZERITY LIMITED — App Privacy Notice (Processor)

Important: For the personal data in our App/Platform (zeritycloud.com and sub‑domains), we process on behalf of your engager/main contractor — the data controller (e.g., ). That means decides why and how your data is used. We follow their documented instructions.

If you're looking for how Zerity handles data from its own website and business contacts (not Client Data), see our separate Website Privacy Notice.

1) Scope

This notice explains how Zerity handles personal data in the App when we act as a data processor for . It does not cover external sites linked from the App.

2) Who is the Controller and who is the Processor?

Controller: (your engager/main contractor).

Processor: ZERITY LIMITED. We process personal data on behalf of and only in line with 's written instructions and our contract with them.

3) What data we process (on behalf of )

Depending on the features uses, we may process:

• Identity & contact: name; email; phone.
• Right‑to‑work & compliance: NI number; UTR; driving‑licence info and photograph copies; passport/residency/RTW evidence.
• Payment & company information: bank account name/number/sort code; company name/type; company bank account details.
• Technical & usage data: IP address; dates/times of access; frequency and in‑App interactions (for security, operations and support).

We process this data on behalf of to deliver and support the App they've asked us to provide.

4) How we collect data (for )

• From you (entered into the App or provided to ).
• From (including uploads by their staff/agents, e.g., accountants).
• From integrated third‑party tools used by .
• Automatically from your device/App usage (security/operational logs).

All such collection is on behalf of .

5) Why we process data (purposes, on behalf of )

We process personal data to provide, operate, secure and support the App for , for example:

• onboarding and compliance workflows that enables;
• payment, reporting and audit trails;
• user support, troubleshooting and service continuity;
• security, incident prevention and service performance.

We do not use Client Data for our own marketing or unrelated purposes.

6) Legal basis

The legal basis for processing Client Data is determined by as the controller. Zerity processes that data under contract with and on their instructions.

7) Sharing and sub‑processors (for )

We may share Client Data on behalf of with:

• Authorised sub‑processors that help us host, operate and support the App (e.g., infrastructure, security, support tooling).
• and their authorised users/agents (to fulfil their instructions).
• Professional advisers or authorities where required by law and, where permitted, with notice to .

All sub‑processors are bound by written terms that require equivalent protections. Our current list is available at: {SUBPROCESSOR_LIST_URL}.

We do not sell Client Data.

8) Security

We apply appropriate technical and organisational measures (access controls, encryption in transit, monitoring, resilience and regular reviews) and require equivalent measures from our sub‑processors — all for and on behalf of .

If we become aware of a personal data breach affecting Client Data, we will notify without undue delay and assist them with their assessment and any required notifications.

9) International transfers

Where Client Data is transferred outside the UK/EEA for or on behalf of , we and/or will implement appropriate safeguards (e.g., UK IDTA/UK Addendum to EU SCCs, EU SCCs, and related transfer assessments) or rely on another lawful transfer mechanism.

10) Retention and deletion

We retain Client Data only for as long as instructs (including any legally required backups). On termination or at 's request, we will delete or return Client Data within the timelines in our contract, except where retention is required by law.

11) Your rights (how to exercise them)

Because is the controller, please send any requests to exercise your data protection rights (access, correction, deletion, restriction, portability, objection) directly to at: {CLIENT_CONTACT_EMAIL}.

If you contact us, we'll help identify and forward your request to and will act only on 's instructions, unless the law requires otherwise.

You can also raise concerns with the UK Information Commissioner's Office (ICO) at ico.org.uk.

12) Changes to this notice

We may update this notice to reflect changes requested by or required by law. We'll post updates in the App and indicate the effective date.

13) Governing law

This notice is governed by the law of England and Wales, with exclusive jurisdiction of the English and Welsh courts.

Annex A — Quick reference (on behalf of )

Controller:

Processor:

ZERITY LIMITED

Primary purpose:

Operate and support the App for

Data sources:

You; ; 's agents; integrated services; system logs

Rights requests:

Send to (we assist )