GDPR & Data Processing

Last updated: 6 June 2026

Arvy Hospitality Solutions Ltd complies with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and, where applicable, EU GDPR. This statement sets out our roles, safeguards and the terms on which we process personal data on behalf of clients.

1. Controller / Processor roles

  • We are the controller for personal data of our workers, job applicants and client contacts.
  • We act as a processor for personal data we handle on behalf of a client (for example, when client-provided shift data identifies their staff or guests).

2. Lawful basis

We process personal data on the bases of contract, legal obligation, legitimate interests, and consent — as detailed in our Privacy Policy.

3. Data Processing Terms (when we act as processor)

  • We process personal data only on documented instructions from the client.
  • We ensure persons authorised to process the data are bound by confidentiality.
  • We implement appropriate technical and organisational measures (Art. 32).
  • We engage sub-processors only with prior general or specific authorisation and flow down equivalent obligations.
  • We assist the client with data-subject requests, DPIAs and breach notifications.
  • On termination, we delete or return personal data as instructed.
  • We make available all information necessary to demonstrate compliance and allow audits.

4. Sub-processors

Current sub-processors include our cloud hosting provider, database and authentication platform, payroll provider, accounting platform, email and SMS providers, and background-check providers. A current list is available on request.

5. International transfers

Where personal data is transferred outside the UK or EEA, we rely on adequacy regulations or the UK International Data Transfer Agreement / EU Standard Contractual Clauses, supported by a transfer risk assessment where required.

6. Security measures

  • Encryption in transit (TLS) and at rest
  • Role-based access control and least-privilege principles
  • Multi-factor authentication for administrative access
  • Row-level security on multi-tenant data
  • Regular backups and tested restore procedures
  • Logging, monitoring and vulnerability management
  • Staff training and confidentiality agreements

7. Data-subject rights

Data subjects may exercise rights of access, rectification, erasure, restriction, portability and objection by contacting booking@arvy24.co.uk. We respond within one month (extendable to three months for complex requests).

8. Breach notification

We will notify the affected client without undue delay (and the ICO within 72 hours where required) on becoming aware of a personal data breach, including the nature of the breach, categories and approximate number of data subjects, likely consequences and remedial actions.

9. Data Protection contact

Email: booking@arvy24.co.uk. Post: 6th Floor, First Central 200, 2 Lakeside Drive, Park Royal, London NW10 7FQ.

Questions about this policy?

Contact Arvy Hospitality Solutions Ltd at booking@arvy24.co.uk or 020 3929 1773.