Privacy Notice

Altix is a compliance and onboarding tool for UK subcontractor firms, operated as a sole trader by Viktor (the "Operator", "we", "us"). This notice explains how we handle personal data on the Altix platform.

Contact for data protection enquiries: daster1708@gmail.com.

When a subcontractor firm uses Altix to onboard its workers, the firm is the data controllerfor its workers' personal data. Altix is the data processor, acting on the firm's instructions under the terms of the Data Processing Agreement at /legal/dpa.

For account data of the firm itself (email, login, billing) Altix is the data controller.

When a worker is onboarded via an Altix link, we collect the following on behalf of the subcontractor firm:

• Identity: full name, date of birth, nationality, profile photo, photo of ID document.
• Contact: email, phone, home address, next-of-kin name and phone.
• Tax and payroll: National Insurance number, UTR, bank account details (sort code, account number, name on card).
• Right to work in the UK: government share code.
• Construction credentials: CSCS card number and colour, certification photos and expiry dates.
• Site assignments and induction dates.
• Worker signature on the declaration page.

For owners, managers, and accountants signing into Altix, we collect:

• Email address and password (hashed).
• Optional MFA factor.
• Company name, alert email and notification thresholds.
• Audit log entries describing actions you take in the app (worker create/update/delete, exports, invitations).
• IP address and user-agent at the time of those actions.

The subcontractor firm relies on the following lawful bases under UK GDPR Article 6 for the worker data it asks Altix to process:

• Contract — to engage the worker, pay them, and meet site induction obligations.
• Legal obligation — to evidence right-to-work checks, CIS reporting, and CDM 2015 site compliance.
• Legitimate interest — to track certification expiries so the worker is not deployed with lapsed tickets.

Altix relies on contract with the firm and legitimate interest in operating, securing, and improving the platform for the data we process as a controller.

The subcontractor firm decides how long to retain its workers' records, subject to UK statutory minimums (typically 6 years for tax/CIS records). Altix's defaults:

• Your records, while you're an active worker: kept by your firm until they archive or delete you.
• If you leave or are archived: kept by your firm until they manually purge the record (subject to the 6-year tax minimum above).
• Record of who did what in the app: 24 months, then deleted automatically.
• Record of expiry alert emails sent: 180 days.
• Invitations that expire or aren't accepted: removed 30 days after they expire.
• If a firm deletes its Altix account: 30-day grace period, then everything is hard-purged.

Backups.Our database and file-storage provider keeps point-in-time backups (7 to 30 days, depending on the plan) for operational recovery. When data is hard-purged from the live system, residual copies persist in those backups until they roll off according to the provider's standard retention. Backups are encrypted at rest and accessed only by service-role credentials. We will not restore deleted personal data from backup unless required to investigate a security incident or to comply with a legal order.

Worker and account data is stored in Supabase (PostgreSQL + Storage) hosted in the EU (eu-west region). The application runs on Vercel. Transactional email is delivered via Resend. See the full sub-processor list.

Sensitive identifiers (NI number, UTR, sort code, account number, right-to-work share code) are encrypted at the application layer using AES-256-GCM before being written to the database, in addition to Supabase's at-rest encryption.

Altix does not sell personal data. We share it only with:

• The subcontractor firm that owns the worker record.
• Sub-processors strictly required to operate the service (see the sub-processor list).
• HMRC, the ICO, courts, or law enforcement where legally compelled.

Under UK GDPR you have the right to:

• Access the personal data we hold about you.
• Have inaccurate data corrected (rectification).
• Have your data erased where we have no overriding lawful reason to keep it.
• Restrict or object to processing.
• Receive a portable copy of your data (data portability).
• Withdraw consent where consent was the lawful basis.
• Lodge a complaint with the ICO at ico.org.uk.

If you are a worker whose data is held by a subcontractor firm, please direct rights requests to that firm — they are the controller. If you are a firm owner, you can export your data and delete your account in Settings → Privacy, or email daster1708@gmail.com.

We use TLS for data in transit, application-layer encryption for sensitive identifiers, database-level tenant isolation, and an append-only audit log of consequential actions. We follow our breach response runbook if a personal-data incident is detected.

Material changes will be communicated to firm owners by email at least 30 days before they take effect. The current version is always at this URL.