General Data Protection Regulation (GDPR)

We regularly review how we can most securely store your data. We protect it in three key dimensions:

1. What we’re storing:

We store only necessary information, as collected by you. Individual logins mean that your team members can keep their details accurate and up to date, ensuring that you meet your legal obligations as an employer.

2. How we're storing it:

We encrypt your data both at rest and in transit, and our site and storage processes are architected for security. See Security Measures for specific details.

3. Who can access it:

We have extensive internal access controls and regulations for the Charlie team, who only have access to data under limited conditions, and have all been security checked. Within our software you are able to set account roles for all employees to restrict access to sensitive materials.

We follow the principles of the General Data Protection Regulation of May 2018. We have a designated Data Protection Officer, and accountability and privacy are principles that are designed into both our software and policies.

Our core compliance with the act means we:

  • Have full awareness of where any of your data is being held & when outside the EU, ensuring appropriate compliance is in place

  • Ensure that only those who require access to your data are able to & we have the highest level of protection against unauthorised access

  • Ensure you have the right to view, amend, export or delete any information that we hold on your behalf, including anything held by 3rd party services

  • Ensure that consent is given during the sign up process for all that use Charlie and allowing you to withdraw this at anytime

You’re able to review the exact standards we hold ourselves to via our Privacy Policy.

Our Data Protection Officer is on hand should you have any concerns or issues, they can be contacted at [email protected]

Frequently asked questions

Are you compliant with the GDPR?

Based on our self-assessment and that of our external Data Protection Officer we are currently compliant.

Who is the official Data Protection officer for your organisation?

Ben Branson-Gateley. You can contact them via [email protected].

Do you market other services to the employees we add to the system?


How long do you retain our employee data?

Our retention periods are defined by you, you have full control of what data is held on our system and are free to remove or amend it at any time.

Where is our data held?

Within the EU.

Do you have a training programme in place for staff that have access to the personal data of our customers?

Yes, this is defined by our commitment to ISO 27001 compliance and the controls we have in place internally for that. You can read more about our security measures here.

If we were to ask you to remove all data we have provided you on an employee would you be able to do that in a timely fashion?

Of course – please email [email protected].

Do you have a process in place for reporting personal data breaches to affected companies and the relevant data protection authority, and in some circumstances, to the affected data subjects, where feasible, within 72 hours of having become aware of it?

Yes we do.

Do you have a security policy?

Yes we do – you can read about the majority of our controls here.

Do you have a data processing addendum?

Yes we do – you can download it here.


ISO/IEC 27001Cyber essentials certified