Templio legal

Privacy Policy

Version v1.0Last updated 26 April 2026

This Privacy Policy explains how VectisFlow Limited ("VectisFlow", "we", "us") collects, uses, stores, and shares personal data when you use Templio. Templio is a software service for UK recruitment agencies to manage contractor timesheets, approvals, invoicing, and compliance records.

1. Who we are

VectisFlow Limited

Trading as Templio

Company number: [COMPANY NUMBER]

Registered office: 43 Fairfoot Rd, London E3 4EG

ICO registration: [ICO REGISTRATION]

Data Protection Officer: [DPO_EMAIL]

We are the controller of the personal data described in this Policy in relation to our website, customer accounts, and operational communications. Where we process Customer Data on behalf of an agency Customer, that Customer is the controller and we act as processor — see our Data Processing Addendum.

2. What personal data we collect

We collect different categories of data depending on your role:

Agency staff (Authorised Users). Identity data (name, email), authentication metadata (via Clerk), IP address, session cookies, and billing data (via Stripe).
Contractors. Name, email, National Insurance number (where you provide it on a timesheet), bank details (where required for self-billing), timesheet content, and any documents you upload to the document vault.
Clients / approvers. Name, email, and records of approval actions taken on timesheets shared with you.
Website visitors. Strictly necessary cookies only — see section 9.

3. Lawful basis for processing

Contract performance (UK GDPR Art. 6(1)(b)) — to provide timesheet submission, approval, invoicing, and self-billing services.
Legal obligation (Art. 6(1)(c)) — to retain audit logs (six years, HMRC), to maintain Agency Workers Regulations 2010 (AWR) and IR35 records, and to respond to lawful requests.
Legitimate interests (Art. 6(1)(f)) — to prevent fraud, secure our platform, and investigate misuse. We do not currently run product analytics.
Consent (Art. 6(1)(a)) — reserved for optional marketing communications; not used today.

4. How we use your data

We use personal data to:

Provide the Templio service under our Customer Terms of Service;
Authenticate Authorised Users and enforce tenant isolation;
Calculate pay and generate invoices and self-billing documents;
Transmit invoice data to your Xero account where you have connected Xero;
Maintain an immutable audit log of state-changing actions for compliance;
Detect and investigate abuse, fraud, and security incidents;
Respond to your queries and support requests.

We share personal data with the sub-processors listed in Annex A of our DPA. We do not sell personal data and we do not disclose it to third parties for marketing purposes.

We may disclose personal data where required by law, court order, or regulatory request, or where necessary to protect the rights, property, or safety of VectisFlow, our Customers, or the public.

6. International transfers

Some of our sub-processors operate outside the United Kingdom. Where this is the case, we rely on the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK Addendum, together with supplementary measures where appropriate. See Annex A of the DPA for the current list and the specific transfer mechanism for each vendor.

7. Retention

Customer Data (timesheets, invoices, approvals) — retained for the duration of the Customer's subscription and for six years after, in line with HMRC record-keeping requirements.
Audit log — retained immutably for six years. The audit log is append-only at the database level.
Personal data subject to an erasure request — where we are able to honour an erasure request under Art. 17 UK GDPR, we pseudonymise the relevant entries rather than deleting audit records (which we are required to retain).
Marketing data — not collected at this time.

8. Your rights

Under UK GDPR you have the right to:

Access your personal data;
Rectify inaccurate data;
Erase data (subject to legal retention obligations);
Restrict processing;
Data portability;
Object to processing based on legitimate interests;
Not be subject to solely automated decisions with legal or similarly significant effect;
Withdraw consent at any time where processing relies on consent.

To exercise these rights, contact our Data Protection Officer at [DPO_EMAIL]. You also have the right to lodge a complaint with the Information Commissioner's Office (ico.org.uk/make-a-complaint).

9. Cookies

We use only strictly necessary cookies. Under the Privacy and Electronic Communications Regulations 2003 (PECR) and UK GDPR, strictly necessary cookies are exempt from the consent requirement. We do not currently use analytics, advertising, or tracking cookies. If we later introduce such cookies we will update this Policy and implement a consent mechanism before they are set.

The full list of cookies currently in use:

Name	Provider	Purpose	Duration	Type
__clerk_session	Clerk Inc.	Authenticated session token for agency staff. Required for all authenticated routes.	7 days (rolling)	Strictly necessary
__clerk_db_jwt	Clerk Inc.	Session refresh token. Used to reissue short-lived session JWTs without re-login.	7 days	Strictly necessary
templio.cookie-consent.v1	Templio (localStorage)	Stores your cookie consent choice so we do not ask again on every visit. Contains no personal data.	Persistent (until cleared)	Strictly necessary
__stripe_mid	Stripe Payments UK Ltd	Fraud prevention token used during payment processing on billing pages.	1 year	Strictly necessary

10. Children's data

Templio is a business-to-business service and is not directed at children. We do not knowingly collect personal data from anyone under 18.

11. Changes to this policy

We may update this Policy from time to time. Where changes are material, we will notify our Customers by email at least 30 days before the changes take effect. The current version and last-updated date appear at the top of this page.

12. Contact us

Email us at privacy@templio.co.uk for any question about this Policy or how we handle personal data.