Last updated: 26 September 2025
This Privacy Policy is designed to provide you with an understanding of how Teal collects, utilises, and shares your information to enhance and operate our services.
About Teal
Teal Connect Ltd (“Teal”, “we”,”us”, or ”our”) is a company registered in England and Wales under company number 15050936 and has its registered office address at 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ.
Teal enables you to connect your payroll or HCM account and share data safely with trusted Third Parties such as banks, mortgage providers, or insurers. You may share this data with us by connecting your payroll account or by sending us your documentation manually. You are always in control of what you share and with whom.
For most processing, Teal acts as an independent Data Controller. Where Teal processes data strictly on behalf of trusted partners, Teal may act as a Data Processor.
The terms “you” and “your” refers to the user accessing or using Teal or our Services. The term “Third Parties” refers to clients of Teal that request a verification.
When this Policy applies
Our Privacy Policy applies when you visit our website www.goteal.co or otherwise use our services. This may happen in connection with the services of Third Parties (such as banks, credit providers, or mortgage companies) who you use.
Data We Collect
We collect personal data in the following ways:
- From payroll and HCM providers, where you authorise Teal to access your records (via API or secure portal login).
- From HMRC, where you choose to connect through OAuth.
- From you directly, if you upload payslips or provide details manually.
- From authorised third parties (e.g. lenders sharing identifiers such as your NI number).
- From your use of our website and systems (e.g. cookies, analytics, device signals).From candidates and staff, through recruitment and HR systems.
Identity data
Name, address, date of birth, NI number
Payroll or HCM, HMRC, lender, payslips or provided by you
Legitimate interest
Kept for the duration of service or until objection
Employment & income data
Payslips, job title, employment status, tax documents
Payroll or HCM, HMRC, Payslips
Legitimate interest
Kept for the duration of service or until objection
Contact data
Email, phone number
Provided by you
Legitimate interest
Kept for the duration of service or until objection.
User credential data
Email, username, password
Provided by you
Legitimate interest
Kept for the duration of service or until objection
Employment & HR data
Staff contacts, recruitment data
Provided by you
Legitimate interest
Candidates: Deleted within 12 months if unsuccessful.
Employees: Records kept for statutory periods (e.g. 6 years for tax/payroll records; some pension/accident records longer).
Device data
IP address, browser, device info
From your device
Legitimate interest
Short-term logs only (generally 30–90 days).
Fraud/integrity signals
Captcha, proxy detection
Teal systems
Legitimate interest
Kept for the duration of service or until objection
Verification report data
Structured reports of income, employment status, and verification outcomes shared with lenders or other Authorised Third Parties
Generated by Teal from payroll provider / HMRC data following employee authorisation
Legitimate interest
Held only for the duration required to transmit to the Authorised Third Party. Not stored long-term by Teal
Aggregated / Anonymised Data
Benchmarking datasets, industry insights, anonymised trend reports
Derived from payroll and employment data after anonymisation and aggregation
Not personal data once anonymised, therefore outside GDPR scope. Creation process (from identifiable data) is under Legitimate Interest (service improvement, fraud reduction, fair pricing)
Indefinite, as no longer personal data
Backups and Archives
Encrypted system snapshots, database backups, disaster recovery archives
Copies of production systems (AWS S3, DynamoDB, Aurora) taken automatically for resilience
Legitimate interest
Backups retained for rolling 90 days unless needed for longer regulatory reasons
Legal and regulatory audit logs
CloudWatch audit logs, API call records, authorisation and revocation events, incident response records
Automatically generated by Teal systems (AWS, API gateways, security services)
Legal Obligation
Retained as necessary to meet FCA, UK GDPR, and audit obligations (typically up to 6 years)
Teal does not intentionally collect special category data (such as health, race, religion, or sexual orientation) or criminal offence data. If such data is provided incidentally (e.g. via documents you upload), it will be handled in accordance with our Data Protection & Governance Policy.Teal retains personal data only for as long as it is needed to fulfil the purposes set out in our Privacy Policy and to meet legal, regulatory, and audit requirements. When data is no longer needed, it is securely deleted or anonymised.
How we use your personal data
We use your personal data for the following purposes:
Core Service Delivery
Income & employment verification
Legitimate Interest
Fraud prevention & identity assurance
Legitimate Interest
Ongoing credit risk monitoring (if user chooses periodic access)
Legitimate Interest
Secondary checks for authorised third parties (e.g. lenders, landlords, insurers, telcos)
Legitimate Interest
Providing customer support
Legitimate Interest
Aggregated and anonymised insights for benchmarking
Outside GDPR (no personal data)
Operational and Governance Purposes
HR and recruitment (employee and candidate records)
Legitimate Interest
Finance and accounting (invoices, payments)
Legitimate Interest
Website analytics and tracking (Google Analytics, cookies)
Legitimate Interest
Legal and contractual record-keeping
Legitimate Interest
Audit logging, monitoring, security, incident response
Legitimate Interest
Compliance with laws
Legitimate Interest
Service improvement (normalisation, accuracy testing, fraud reduction)
Legitimate Interest
Disclosures of personal data
We share your personal data with:
- Authorised Third Parties (ATPs): Lenders, insurers, telcos, landlords - via secure verification reports.
- Payroll providers and HMRC: Only for retrieval on user instruction, not for disclosure back.
- Service Providers: AWS (cloud hosting and storage), Google Analytics (website usage), Mixpanel (product analytics), Technology providers that help us parse or secure payroll data, Other IT/security vendors supporting infrastructureProfessional advisers (lawyers, auditors, insurers) where legally required.We also may disclose information in the following circumstances:
- Business Transfers. If we are or may be acquired by or merged with another company, if any of our assets are transferred to another company, or as part of a bankruptcy proceeding, we may transfer your personal information to the other company.
- In Response to Legal Process. We also may disclose your personal information in order to comply with the law, a judicial proceeding, court order, or other legal processes, such as in response to a court order or a subpoena.
- To Protect Us and Others. We also may disclose your personal information where we believe it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of our Terms of Service or this Notice, or as evidence in litigation in which Teal is involved.
- Aggregate and De-Identified Information. We may share aggregated and anonymised information for research, benchmarking, and service improvement. This information does not identify you.
How we store your dataWe normally store your data on secure servers in the UK or EU. Sometimes, because we use third-party service providers, your data may be stored or accessed outside these regions (for example, on a cloud server).
If this happens, we make sure your data is protected by law. This includes using:
- Adequacy decisions (where the UK/EU has confirmed the country offers strong protection), or
- the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses.
You can ask us for more details about these safeguards by contacting privacy@goteal.co
Security and Overseas Transfers
Teal stores your personal information as encrypted electronic data on Amazon Web Services servers located in the UK and EU. We use encryption, access controls, and monitoring to protect personal data. Access is limited to authorised personnel only.
Teal will take reasonable steps to ensure that personal information that is held which is no longer required, including under any contractual or legal requirement, is destroyed or de-identified in a secure manner.
We are based in the United Kingdom. Some of our service providers are located outside the UK and may process your personal data in other countries. This includes providers of cloud hosting, analytics, and technical services. Where required by applicable law, we have put in place appropriate safeguards (such as contractual commitments) in accordance with applicable legal requirements to ensure that your data is adequately protected.
Your rights under the data protection law
You can exercise your rights at any time by emailing privacy@goteal.co. As a data subject in the UK, you have the following rights:
- Right to be informed: to receive clear information about how we use your personal data (this Privacy Policy provides that information).
- Right of access: to request a copy of the personal data we hold about you.
- Right to rectification: to have inaccurate or incomplete personal data corrected.
- Right to erasure: to ask us to delete your personal data in certain circumstances.
- Right to restrict processing: to request that we limit how we use your personal data in certain circumstances.
- Right to object: to object to our processing of your personal data where we rely on legitimate interests.
- Right to data portability: to request that we transfer your personal data to you or to another organisation in a structured, commonly used, and machine-readable format.
- Rights in relation to automated decision-making and profiling: to request human review and to contest decisions made solely by automated means, where applicable.
- Right to lodge a complaint: to complain to the Information Commissioner’s Office (ICO) if you are unhappy with how we handle your data.
If you are unhappy with our response, you can contact the Information Commissioner’s Office (ICO) with registration number ZB647212. Before we process any request, we may ask you for certain Personal Data to verify your identity, and in situations where Teal is the Data Processor, consult with the Data Controller of your data. Where permitted by local law, we may refuse requests that are unreasonable or impractical. Please allow us a reasonable time to respond to your inquiries and requests in line with local law requirements.
Changes to this Privacy Policy
If we change this policy, we’ll update the date at the top and post the new version on our website. If the changes are important, we’ll also tell you by email or alternative methods.
Contact Information
If you have any questions, comments, or concerns about how we process your data, please email us at privacy@goteal.co or write to us at:
Teal Connect Ltd
71-75 Shelton Street
Covent Garden
London
WC2H 9JQ