Privacy Policy for Mobile Application – Hollilander Agency Staffing
Last updated: 24 Nov 2025
1) SCOPE AND WHO WE ARE
This Privacy Policy explains how we collect, use and share personal data when you use the Hollilander agency staffing application and related services (the “App” and the “Service”). Hollilander is operated by Hollilander Limited, controller for App user data. Registered office: Unit 53, Southern Cross Business Park, Boghall Road, Bray, Co. Wicklow, Ireland. General support: agencyworkers@hollilander.com. Privacy contact:
agencystaffing@hollilander.com. Website: www.hollilander.ie.
This policy is designed for professional adult users (18+) and complements our Terms & Conditions.
2) LEGAL FRAMEWORK
We process personal data in accordance with the EU/UK GDPR, the Irish Data Protection Act 2018, and applicable employment, tax and health and safety laws.
3) CATEGORIES OF PERSONAL DATA WE PROCESS
– Identity and contact: name, date of birth, photo/ID image, address, email, phone. – Right to work and immigration: passport, visa/IRP details, permits, nationality and proofs.
– Credentials and vetting: education/training records, certificates, professional memberships, Garda Vetting, references.
– Employment and shift data: clock-in/out timestamps, optional geolocation at clock events, timesheets, approvals, duties performed, incident notes and compliance records.
– Payroll and finance: PPSN, Revenue Payroll Notification (RPN) data, pay and deductions (PAYE/USC/PRSI), IBAN/BIC, expenses, advances if requested.
– Device/technical: device identifiers, IP address, app version, crash logs, authentication tokens, notification tokens.
– Communications: messages with our team or client facilities, support tickets, audit logs.
– Optional special-category data: limited occupational health information (e.g., immunisation status, fitness-to-work) where required by client policy or law.
4) PURPOSES AND LAWFUL BASES
We process personal data to:
– Provide, secure and administer the Service, including identity checks, scheduling, timesheet management and payroll. Lawful basis: contract performance and legitimate interests.
– Comply with legal obligations, including employment and tax filings with Irish Revenue, safeguarding and health & safety reporting. Lawful basis: legal obligation.
– Protect the Service and its users, including fraud prevention, security monitoring and incident management. Lawful basis: legitimate interests and legal obligation.
– Communicate with you about shifts, pay, updates and compliance. Lawful basis: contract performance and legitimate interests.
– Send marketing communications where you have given consent. Lawful basis: consent; you can withdraw consent at any time.
Special-category data (occupational health) is processed under GDPR Article 9(2)(b) and 9(2)(h) and the Data Protection Act 2018, with strict access controls and minimisation.
5) ACCOUNT DELETION
You can delete your Hollilander account in the App under: Profile -> Account -> Delete account, or by emailing agencystaffing@hollilander.com from your registered email. We deactivate access immediately and permanently delete in‑app data within 30 days. We will retain records we are legally required to keep (e.g., payroll/tax) for up to 6 years and then securely delete or anonymise them.
6) RETENTION PERIODS
We retain personal data only as long as necessary for the purposes above and to meet legal and audit requirements. Typical periods:
– Identity and contact: up to 6 years after last payroll or final engagement.
– Right‑to‑work and vetting documents: 2 years after the end of engagement, or longer if required by law or contract.
– Timesheets, shift records and location-at-clock events: 2 years (or per client policy), then anonymised.
– Payroll and tax records (PPSN, RPN, payslips): 6 years (Revenue requirements). – Incident and compliance records: per applicable law or client policy (generally 2–6 years). – Device diagnostics and crash logs: up to 12 months.
We may retain data longer when necessary for investigations, dispute resolution or legal claims.
7) LOCATION DATA (WHEN ENABLED)
If you enable Location permissions, we capture your device’s location at clock‑in and clock‑out to validate attendance at client sites. We do not collect continuous background location unrelated to time and attendance. You can switch off Location in device settings; some features may not work without it.
8) SDKS AND ANALYTICS
We use SDKs to operate and improve the App:
– Firebase Analytics and Crashlytics: performance metrics, diagnostics and crash logs. – Mapping SDK (e.g., Google Maps): geofencing and map display for clock‑in validation. – Push notifications (FCM/APNs): deliver shift alerts and system messages.
These SDKs may receive device identifiers and diagnostics. We do not use third‑party advertising SDKs or enable cross‑app tracking.
9) SHARING AND RECIPIENTS
We share personal data with:
– Client facilities for onboarding, scheduling, timesheet approvals and compliance checks. – Payroll providers and Irish Revenue for lawful payroll and tax processing. – Identity and credential verification services, where used, to validate licences and training. – Cloud hosting, email and IT support providers who act as processors under contract. – Analytics and crash diagnostics providers for service quality and security.
Sharing is limited to what is necessary for the Service and governed by contracts and due diligence.
10) INTERNATIONAL TRANSFERS
Where processors or support staff are located outside the EEA/UK, we use the EU Standard Contractual Clauses (EU 2021/914) and carry out transfer risk assessments. Where appropriate we apply supplementary measures such as encryption, access controls and data minimisation.
11) STORAGE LOCATION
Primary storage is within the EU/EEA. Some backups or support operations may occur in the EEA/UK. Any transfers outside these regions follow the safeguards described above.
12) SECURITY AND BREACH NOTIFICATION
We apply technical and organisational measures including encryption in transit and at rest, role‑based access, audit logging and multi‑factor authentication for administrators. You must protect your device and credentials. If a personal‑data breach is likely to result in risk to you, we will notify the Data Protection Commission within 72 hours and inform affected users without undue delay.
13) AUTOMATED DECISION‑MAKING
We do not make decisions with legal or similarly significant effects based solely on automated processing. Automated tools may assist with shift suggestions and screening, but final decisions involve human review.
14) MARKETING COMMUNICATIONS
Service communications (e.g., payslips, shift confirmations) are sent without consent. Marketing communications are sent only with your consent. You can opt out at any time via the link in the message or by contacting agencystaffing@hollilander.com.
15) YOUR RIGHTS AND HOW TO EXERCISE THEM
You have rights of access, rectification, erasure, restriction, portability and objection, and the right to withdraw consent where used. To exercise rights, email
agencystaffing@hollilander.com from your registered address. We may request identification to verify your request. We aim to respond within 1 month, extendable by two months for complex requests. We keep verification copies only as long as needed to complete your request.
Complaints: you may contact the Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, www.dataprotection.ie, info@dataprotection.ie.
16) CHILDREN
The App is intended for adults (18+) working in professional healthcare staffing. We do not knowingly collect children’s data.
17) COOKIES, SDKS AND PERMISSIONS SUMMARY
– Cookies on our website support authentication, security and performance. You can manage cookies in your browser.
– Mobile permissions requested by the App:
- Location for validating clock‑in/out at client sites (optional).
- Camera and Photos/Files for capturing IDs, certificates and evidence. • Notifications for shift alerts and changes.
- Limited background services only for permitted purposes (e.g., queued uploads or geofence check at clock‑in).
Disabling permissions may limit functionality. There is no continuous GPS tracking, no microphone access, and no camera access unless you actively capture an image/document.
18) GOOGLE PLAY DATA SAFETY SUMMARY
Data collected: identity and contact information; location (approximate/precise when enabled); personal files you upload (e.g., certificates); financial information for payroll; app activity and device identifiers; diagnostics (crash logs).
Purposes: app functionality, account management, security/fraud prevention, payroll processing, analytics/performance and support.
Data sharing: with payroll/Revenue and client facilities as required for staffing and payroll. Data is not sold.
19) APPLE APP STORE PRIVACY LABEL (INDICATIVE)
Data linked to you for app functionality and account management: identifiers, contact information, employment/shift data and financial information. Diagnostics and usage data may be collected for app performance. We do not use data for third‑party advertising or cross‑app tracking.
20) SUB‑PROCESSORS
Core processors include SimplePay (payroll), and secure cloud hosting providers.
https://www.simplepay.ie/privacy. We will post changes before onboarding new providers.
21) CONTACT HOURS AND PRIVACY INBOX SLA
Privacy and data requests: Monday to Friday, 09:00–17:00 (Irish time). We target an initial response within 5 business days and completion of standard requests within 1 month.
22) CHANGES TO THIS POLICY
We may update this Privacy Policy. Material changes will be notified in the App or by email. Continued use after the effective date means you accept the updated Policy.
23) CONTACT
Controller: Hollilander Limited. Registered office: Unit 53, Southern Cross Business Park, Boghall Road, Bray, Co. Wicklow, Ireland. Privacy contact: agencystaffing@hollilander.com. Support: agencyworkers@hollilander.com.