This Privacy Policy explains how Ontime Payments Limited ("Ontime", "we", "us", "our") collects, uses, shares and protects personal information when individuals interact with Ontime as part of the payroll-linked deduction instruction service.

This version replaces earlier drafts and is aligned to Ontime's operating model, controller/processor boundaries, and data protection assessments.

Our approach to privacy

Ontime is designed to enable employees to pay existing bills through authorised deductions from net salary. We process personal information only where it is necessary to deliver that service, to meet legal obligations, and to protect individuals and our partners.

We apply the principles of data minimisation, purpose limitation, security and transparency throughout our operations. Personal data is not used for unrelated profiling or product marketing..

Who we are

Ontime is the trading name of Ontime Payments Limited (company number 15474033)

Registered and postal address:
Spaces, 60 St. Martin's Lane, London, WC2N 4JS.

Ontime is registered with the Information Commissioner's Office (ICO) as a data controller under registration number ZB684820.

How Ontime's service works and our data roles

Ontime's service operates in three stages. Our role under UK GDPR differs by stage:

Availability check ("light-match")

At this stage, a third-party biller checks whether an individual may be able to use Ontime as a payment method.

  • The biller is the data controller.
  • Ontime acts as a data processor on the biller's instructions.
  • Payroll software providers act as sub-processors.

Ontime does not determine the purpose of processing at this stage and receives only limited identifiers.

During the light-match availability check, Ontime does not receive or access full payroll records. Ontime processes a limited set of identifiers solely to support an indicative availability assessment, acting as a data processor on the instructions of the biller. Final confirmation of employment and deduction setup only occurs following a separate full-match step initiated by the individual.

Full match and onboarding

If the individual chooses to use Ontime, they provide additional information (including National Insurance number) to confirm eligibility and set up deductions.

From this point:

  • Ontime becomes an independent data controller, as we determine how personal data is used to deliver the service.

Ongoing deductions and service delivery

Once deductions are live, Ontime processes information needed to operate, confirm, stop or refund deductions, and to meet legal and accounting obligations.

Personal information we collect

Depending on how you interact with Ontime, we may collect:

Identifiers and contact details

  • Name
  • Date of birth
  • Postciode and address
  • Email address and mobile number

Employment and payroll-related information

  • Employer name
  • Payroll software provider
  • Pay frequency, pay dates and pay information relevant to running deductions
  • Employee unique identifier generated by payroll software provider

National Insurance number (NINO)

  • Used once to perform a full payroll match
  • Replaced immediately with a pseudonymous employee ID for all ongoing processing

Deduction and service data

  • Deduction amounts and schedules
  • Payment and reference details
  • Service communications and confirmations

Support communications

  • Messages and correspondence when you contact Ontime (for example via email or phone)

Ontime does not intentionally collect special-category data (such as health, ethnicity or trade union membership).

How we use personal information and our lawful bases

We process personal information only where permitted by UK GDPR. The main purposes and lawful bases are:

Availability checks (light-match)

  • Lawful basis: Legitimate interests (of the biller)
  • Ontime acts as processor only

Full match, onboarding and deductions

  • Lawful basis: Performance of a contract
  • Processing is necessary to set up and operate salary deductions you have requested

Legal, accounting and audit obligations

  • Lawful basis: Legal obligation

Service communications and customer support

  • Lawful basis: Performance of a contract and legitimate interests

Ontime does not rely on consent as the legal basis for salary deductions; deductions are authorised under contract and employment law requirements.

Data minimisation and accuracy

Ontime is designed to limit the data we receive and retain:

  • Payroll providers return only match confidence results during availability checks
  • Full payroll records are not shared with Ontime
  • NINO is used once and not retained for ongoing processing
  • Failed matches are deleted immediately

We take reasonable steps to ensure personal information is accurate and up to date.

Who we share personal information with

We share personal information only where necessary:

  • Billers - to confirm deduction setup, changes, failures or settlement
  • Payroll software providers - to enable eligibility checks and operate deductions
  • Employers - only confirmation and instruction data needed to run payroll deductions
  • Service providers - including hosting, analytics and customer support providers acting under contract
  • Professional advisers - legal, accounting and insurance advisers where required
  • Regulators or authorities - where legally required

We do not sell personal data.

Ontime maintains a current list of service providers and sub-processors that support the operation of its services, including details of their role and processing location. This information is available on request and is kept under review as part of Ontime's supplier due diligence and risk management processes.

International transfers

Ontime does not routinely transfer personal data outside the United Kingdom or the European Economic Area (EEA). All personal data processed in connection with the Ontime service is hosted and processed within the UK and/or EEA.

If, in the future, Ontime engages a supplier that processes personal data outside the UK or EEA (including through remote access or support), Ontime will ensure that appropriate safeguards are in place in accordance with UK GDPR. This may include the use of the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, together with additional technical and organisational measures where required.

Where international transfers become relevant, this Privacy Policy will be updated to reflect the change.

Data retention

Ontime retains personal information only for defined periods:

  • Failed availability checks: deleted immediately
  • Incomplete onboarding: deleted within 30 days
  • Active service data: retained while deductions are active
  • Deduction and accounting records: retained for six years
  • Anonymised data: may be retained longer for reporting and analysis

Your rights

Individuals have rights under UK GDPR, including the right to:

  • Access personal data
  • Correct inaccurate data
  • Request deletion (where applicable)
  • Restrict or object to processing
  • Data portability

Requests can be made by contacting hello@ontime.co.

Marketing

Ontime does not independently promote or market products to employees using payroll, deduction or employment data.

Ontime may send limited communications that are necessary to operate the service, such as information about deductions, changes to the service, or important updates. These are service communications rather than marketing.

Where Ontime sends any direct marketing communications (for example about Ontime's own services), this will only be done in accordance with UK GDPR and the Privacy and Electronic Communications Regulations (PECR). Individuals can opt out of marketing communications at any time using the details provided in those messages or by contacting us.

Ontime does not share personal information with third parties for their own marketing purposes.

Ontime does not provide marketing services to employers, payroll providers or billers, and does not use payroll or employment data for advertising, behavioural profiling or third-party marketing purposes.

Security

We apply appropriate technical and organisational measures to protect personal information, including access controls, encryption and monitoring.

Complaints and contact details

If you have questions about this Privacy Policy or wish to exercise your data protection rights, you can contact Ontime at compliance@ontime.co or hello@ontime.co. Requests will be handled in accordance with UK data protection law.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection matters.

Changes to this policy

This policy may be updated from time to time. Material changes will be communicated appropriately.