TPC Field — Privacy Policy
Last updated: 4 July 2026
This policy explains how TP Compliance Ltd (“TPC”, “we”, “us”) handles personal data when you use the TPC Field mobile app. It is written for the field user who installs the app, the manager who issues access, and the organisation whose sites the work is carried out on.
TPC Field is a workplace tool. It is not available for general consumer sign-up. Access is issued by your organisation’s admin team. If your organisation does not use the TPC platform, you will not be able to log in.
1. Who we are
TP Compliance Ltd is registered in England and Wales. You can contact us at hello@tpcompliance.co.uk, or via tpcompliance.co.uk.
We are the data controller for the personal data this policy covers, in the sense given to that term by the UK General Data Protection Regulation (“UK GDPR”) read together with the Data Protection Act 2018.[1]
2. What this policy covers
This policy covers personal data about you, the field user of the TPC Field app — your name, phone number, the photos you take on the job, the signatures you make.
Work records that belong to your employer’s customer (the building owner, landlord, or responsible person) are governed by a separate data processing agreement between TPC and that customer organisation. In that arrangement, the customer organisation is the controller and TPC is the processor. If you want to know how those records are handled, ask your manager for the customer’s privacy policy.
3. What we collect
The TPC Field app collects only what it needs to do its job:
- Your name and phone number — issued to us by your organisation’s admin when they create your account.
- An internal user identifier — a random UUID we generate so the system can link your work records to your account.
- Work record content — photos you take on the job, signatures you make, free-text notes you type, and document sign-off timings.
- Device identifiers + crash and performance data — for reliability monitoring. Crash data is anonymous; device identifiers are linked to your account so we can correlate a fault with a session.
We do not collect your location, contacts, calendar data, microphone audio, browsing history, advertising IDs, biometric data, or financial information.
4. Why we collect it — our lawful bases
Under UK GDPR Article 6 we rely on two lawful bases for the data above:[2]
- Performance of a contract (Article 6(1)(b)) — for the data needed to give you access, attribute your work, and deliver the records your employer has contracted us to provide.
- Legitimate interests (Article 6(1)(f)) — for the reliability telemetry (crash data, performance metrics) that lets us keep the app working in the field. The legitimate interest is operating a safe and reliable tool; we balance that against your rights and only collect what we need.
We do not rely on consent for any of this data. We do not process special-category data (such as health data) or criminal-offence data through the TPC Field app.[3]
5. Where your data sits + how we protect it
Personal data is stored in PostgreSQL databases hosted in the United Kingdom (London region). Each customer organisation’s records are partitioned to their own tenant — your data is not co-mingled with another organisation’s.
Data in transit is protected by TLS 1.3. Data at rest is encrypted using AES-256. Photo and signature files are served through signed, time-limited URLs. We do not transfer your personal data outside the UK; if that ever changes we will update this policy and notify users in the app.
6. Who else sees your data
Your personal data is accessible to:
- Your organisation’s admin team — they need to see what you submit to approve it, escalate it, or return it for rework.
- Our infrastructure provider — Supabase Inc., acting as a sub-processor in the UK region. They host and serve the database and storage.
We do not sell your data, share it with advertisers, or use it to build marketing lists. We do not use third-party analytics SDKs that share data with anyone else.
If we are compelled by law to disclose your data — for example, a court order or a statutory request from a regulator — we will, but we will tell you unless legally barred from doing so.
7. How long we keep it
The work content you produce belongs to your organisation’s tenant. The retention period for that content is determined by your organisation’s own compliance retention obligations and is set in the contract between TPC and your organisation.
The personal data we hold about you is kept for as long as your organisation’s account is active. If your organisation revokes your access, we close your account and delete your authentication credentials immediately; we retain your name and the audit-trail attributions for as long as the work records themselves are required by the organisation’s retention policy.
Anonymised crash and performance data is kept for 12 months and then deleted.
8. Your rights under UK data protection law
Under UK GDPR you have a number of rights in relation to your personal data:[4]
- The right to be informed — this policy, together with anything we tell you in the app, is how we discharge that obligation (Articles 13 and 14).
- The right of access — you can ask us for a copy of the personal data we hold about you (Article 15).
- The right to rectification — if any of it is wrong, we will correct it (Article 16).
- The right to erasure (the “right to be forgotten”) — you can ask us to delete your data, subject to limits where we need to keep it for a legal obligation (Article 17).
- The right to restrict processing — you can ask us to pause processing while we work out a dispute (Article 18).
- The right to data portability — you can ask for your data in a structured, machine-readable format (Article 20).
- The right to object — you can object to processing we are carrying out on the legitimate-interest basis (Article 21).
- Rights in relation to automated decision-making — Article 22 (as amended by the Data (Use and Access) Act 2025) gives you certain rights where a decision producing legal or similarly significant effects is made about you by automated means. TPC Field does not make such decisions — your work is reviewed by a human admin.
To exercise any of these rights, email hello@tpcompliance.co.uk. We will respond within one month.
9. Cookies and similar technologies
The TPC Field app uses only the cookies and on-device storage strictly necessary for it to work — authentication tokens, offline-queue state, your display preferences. We do not use cookies for advertising or to track you across other apps or websites. This treatment is permitted under regulation 6 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 without requiring consent.[5]
10. Children
TPC Field is a workplace tool issued to adult professionals in the course of their employment. We do not knowingly collect personal data from anyone under 18.
11. Changes to this policy
We’ll post the latest version of this policy at this URL and update the “Last updated” date at the top of the page. If we make a material change to how we handle your data we will tell you in the app before the change takes effect.
12. Complaints
If you are unhappy with how we have handled your data, please contact us first at hello@tpcompliance.co.uk. We’d like the chance to put it right.
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), which is the UK’s supervisory authority for data protection.[6] You can do so at:
- Website: ico.org.uk/make-a-complaint
- Helpline: 0303 123 1113
- Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
13. How to contact us
For anything to do with privacy — a question, a request to exercise a right, a complaint — please contact us at:
- Email: hello@tpcompliance.co.uk
- Web: tpcompliance.co.uk