Privacy Policy

1. Introduction

Chefs Bay Hospitality Limited ("we", "us", "our") is committed to protecting your privacy and personal data. This privacy policy explains how we collect, use, store, and protect your information when you use our services or interact with us.

Company Details:
Chefs Bay Hospitality Limited
Companies House No. 13588811
VAT No. 389155944
ICO Registration No. ZB226754
Registered Office: 1 Queen's Park Road, Handbridge, Chester CH4 7AD
Operational Base: Liscard, Wallasey
Email: contact@chefsbay.co.uk

We are registered with the Information Commissioner's Office (ICO) under registration ZB226754 and comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. What Data We Collect

For Candidates/Workers:

• Personal identification: Full name, date of birth, address, contact details (phone number, email)
• Employment documents: CV/resume, references, qualifications, certifications
• Right-to-work documentation: Passport, visa, share code, National Insurance number
• Compliance documents: DBS check results, food safety certificates, allergen training certificates
• Banking details: For payroll purposes
• Emergency contact information
• Photographs: For identification purposes
• Work history and shift records through our platform

For Clients:

• Business contact information: Name, job title, email, phone number
• Company details: Business name, address, VAT number
• Billing information: Payment details, invoicing preferences
• Communication records: Emails, call notes, booking requests

Website Visitors:

• Technical data: IP address, browser type, device information
• Usage data: Pages visited, time spent on site
• Contact form submissions: Name, email, message content

3. How We Use Your Data

We use your personal data for the following purposes:

Staffing Services:

• Matching candidates with suitable job opportunities
• Contacting you about available shifts and work assignments
• Verifying your identity and right to work in the UK
• Processing payroll and payments
• Managing compliance requirements (DBS, food safety, etc.)
• Communicating about shift details, changes, or cancellations

Client Services:

• Processing and fulfilling staffing requests
• Billing and invoicing
• Account management and relationship building
• Service improvement based on feedback

General:

• Responding to enquiries and providing customer support
• Complying with legal obligations
• Preventing fraud and ensuring security
• Improving our website and services

4. Legal Basis for Processing

We process your personal data under the following legal bases:

• Contract: Processing necessary to perform our contract with you, such as matching you with work opportunities, processing your pay, or providing staffing services to clients.
• Legal obligation: Processing required by law, such as verifying right-to-work status, maintaining payroll records, or complying with tax requirements.
• Legitimate interests: Processing necessary for our legitimate business interests, such as improving our services, preventing fraud, or maintaining our candidate database.
• Consent: Where you have given explicit consent, such as for marketing communications or sharing your details with specific clients.

5. Data Sharing

We share your personal data with the following categories of recipients. All processors are bound by written data-processing agreements that limit them to the purposes set out below.

Clients (data controllers in their own right):

• Name, contact details, qualifications, photographs, and compliance status (right-to-work confirmation, DBS check level and date, food safety training records)
• Shared to fulfil a placement, support host-site safeguarding obligations under KCSIE / Care Act 2014, and meet Conduct Regulations 2003 client-information requirements

Vetting and identity processors:

• Yoti — Home Office-certified Identity Service Provider used to verify right to work for British and Irish nationals via digital identity-document verification (IDSP framework)
• Aaron's Department — DBS umbrella body that processes Disclosure and Barring Service checks on our behalf

Operational platforms:

• Ubeya — workforce management software for shift coordination, attendance tracking, and worker communications
• HubSpot — CRM and email marketing platform for newsletter subscriptions and client relationship records
• Mailgun — transactional email delivery for confirmation emails and contact-form notifications
• Vercel — website hosting and analytics for chefsbay.co.uk
• Third-party payroll provider for worker payments

Professional and statutory recipients:

• Accountants, legal advisors, and auditors where necessary for business operations
• HMRC (tax and payroll), Home Office (right-to-work verification), the Disclosure and Barring Service (referrals under our duty as a Personnel Supplier), local authority safeguarding teams (Care Act 2014 enquiries) where the law requires

We do not sell your personal data. International transfers, where they occur (e.g. cloud-hosted email or analytics infrastructure), use UK-adequate jurisdictions or Standard Contractual Clauses with appropriate supplementary measures.

6. Data Retention

We retain your personal data for as long as necessary to fulfil the purposes for which it was collected:

• Active candidates: Data is retained while you are registered with us and actively seeking work.
• Inactive candidates: If you have not worked with us for 2 years, we will contact you to confirm whether you wish to remain on our database.
• Payroll and tax records: Retained for 6 years as required by HMRC.
• Right-to-work documents: Retained for 2 years after employment ends, as required by the Code of Practice on preventing illegal working.
• DBS check details: We record certificate number, check level, date of issue, and Update Service status on our Single Central Record. Copies of DBS certificates are not retained beyond 6 months unless a documented reason applies, in line with DBS guidance on handling certificate information.
• Client records: Retained for the duration of the business relationship plus 6 years.
• Conduct Regulations 2003 records: Most agency records are retained for 1 year from creation; client-contract records (Reg 22) are retained for 3 years. Where UK GDPR requires a longer period for the same data, we apply the longer period.

7. Your Rights

Under data protection law, you have the following rights:

• Right of access: You can request a copy of the personal data we hold about you.
• Right to rectification: You can request correction of inaccurate or incomplete data.
• Right to erasure: In certain circumstances, you can request deletion of your personal data.
• Right to restrict processing: You can request that we limit how we use your data.
• Right to data portability: You can request your data in a machine-readable format.
• Right to object: You can object to processing based on legitimate interests.
• Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time.

To exercise any of these rights, please contact us at contact@chefsbay.co.uk. We will respond within one month. If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.

8. Cookies

Our website uses cookies to improve your browsing experience. Cookies are small text files stored on your device that help us understand how you use our site.

Types of cookies we use:

• Essential cookies: Required for the website to function properly.
• Analytics cookies: Help us understand how visitors interact with our site.
• Functional cookies: Remember your preferences and settings.

You can control cookies through your browser settings. Please note that disabling certain cookies may affect website functionality.

9. Contact Us

If you have any questions about this privacy policy or how we handle your personal data, please contact us: