Legal

Privacy Notice

Last updated: July 2026. This privacy notice explains how VariationDesk Ltd handles personal data across the website, mobile app, desktop tools and customer workspaces.

Important: VariationDesk is a commercial evidence tool. Customers remain responsible for their own data-protection compliance, site notices, employment policies, subcontract requirements and the legal basis for collecting signatures or photographs on site.

1. Who we are

VariationDesk Ltd is a company registered in England and Wales. This notice explains how we handle personal data when people use our website, create a workspace, use the application, receive support or are invited into a customer workspace.

For privacy questions, contact info@variationdesk.co.uk. If a customer has a separate signed agreement with us, that agreement may contain additional data-processing terms.

2. Our role

For account administration, marketing, sales, billing and support data, VariationDesk normally acts as a data controller.

For personal data uploaded into a customer workspace, such as technician details, site representative details, signatures, photographs, project references and commercial evidence, the customer normally acts as controller and VariationDesk acts as processor, unless otherwise agreed in writing.

3. Data we process

We may process user account details, names, business email addresses, company names, roles, login/session records, billing metadata, support messages and product usage information.

Customer workspace data may include project details, client/main-contractor details, SOR/rate-card rows, variation records, descriptions of works, quantities, notes, photographs, signatures, PDF evidence sheets, export metadata and audit logs.

4. Why we process data

We process data to provide the VariationDesk service, authenticate users, maintain team permissions, capture site variation evidence, generate evidence documents, support billing handover, improve reliability, prevent misuse, respond to enquiries and comply with legal obligations.

We may also use limited business contact details to send service updates, product notices and relevant commercial communications. Users can ask us to stop non-essential marketing at any time.

5. Location, photos and signatures

VariationDesk is designed to capture evidence at the point a technician takes a site photo, signs on-screen or taps submit. When location permission is granted, the app captures location only for those foreground actions and does not continuously track technicians in the background.

Offline evidence is saved locally on the user's device and synced later when connectivity returns. Session tokens are stored using protected device storage where supported. The sync process uploads data already captured by the user and does not start background location tracking.

6. Manager magic links and verification codes

Secure manager sign-off links, email one-time codes and SMS one-time codes are operational service messages used to verify and complete a requested variation sign-off. They are not marketing messages.

When a manager signs through a secure link, VariationDesk may record the manager name, role, signature, timestamp, device or browser details, IP address and verification result as part of the audit trail for that variation.

7. Lawful bases

Depending on the context, we rely on contract, legitimate interests, legal obligation and consent. Contract covers providing the service. Legitimate interests covers security, product improvement, customer support, fraud prevention and B2B communications where appropriate. Consent is used where required, for example certain optional cookies or marketing preferences.

8. Customers must control what they upload

Customers are responsible for making sure their users have authority to upload project data, photographs, names, signatures and site information. Customers should avoid uploading unnecessary personal data, sensitive data or confidential third-party information that is not needed for the variation evidence workflow.

VariationDesk is not responsible for the accuracy, legality or contractual suitability of customer-entered project references, descriptions, quantities, rates, VAT treatment, signatory details or uploaded evidence.

9. Sharing and suppliers

We may share data with trusted suppliers who help us provide hosting, authentication, storage, email delivery, payment processing, analytics, support, accounting and security services. Suppliers must only process data for authorised purposes.

We may disclose information if required by law, regulator, court order, professional adviser, corporate transaction, or to protect VariationDesk, our customers, users or the public.

10. International transfers

Some suppliers may process data outside the United Kingdom. Where required, we use recognised safeguards such as adequacy arrangements, standard contractual clauses, international data transfer agreements or equivalent protections.

11. Retention

We keep personal data only for as long as needed for the purposes described in this notice, including providing the service, maintaining evidence records, resolving disputes, complying with law, enforcing agreements, security monitoring and legitimate business records.

Customers are responsible for deciding how long variation evidence and site records must be retained for their own contractual, insurance, legal and accounting purposes.

12. Account deletion and retention requests

Users can start an account deletion request from the mobile app settings screen or from the public account deletion page linked on this site. VariationDesk logs the request immediately and may need to verify identity, workspace authority or contractual ownership before completing deletion.

Some commercial evidence, finance records, audit logs or tax records may need to be retained for legal, contractual, fraud-prevention or accounting reasons before final erasure is completed.

13. Cookies and similar technologies

We may use essential cookies and local storage to keep users signed in, protect sessions and operate the website. Optional analytics or marketing cookies should only be used where appropriate notices and choices are provided.

14. Your rights

Individuals may have rights to access, correct, erase, restrict, object to processing, request portability and complain to the Information Commissioner's Office. Some rights depend on the legal basis and context. If your data is inside your employer's or contractor's workspace, we may direct the request to that customer as controller.

15. Changes

We may update this notice as the service, suppliers, legal requirements and product features develop. The latest version will be published on this page.