Sign in Book a demo
Trust

Privacy policy

What we collect, why, the lawful bases we rely on, who we share it with, how long we keep it and your rights. Written in plain English and kept current with the product.

Last updated 17 June 2026.

Who we are

ReceptionOS is a visitor-management platform operated by Fluid IT Services Ltd, a company registered in England and Wales (number 10214593) with its registered office at Abacus House, Caxton Place, Cardiff CF23 8HA (VAT GB 437 1289 04). In this policy, "we", "us" and "ReceptionOS" mean Fluid IT Services Ltd. You can reach us about anything in this policy at hello@receptionos.co.uk.

When we are a controller, and when we are a processor

This distinction matters for your rights, so we draw it up front:

  • For visitor and booking records, we are a processor. An organisation that uses ReceptionOS to run its front desk is the data controller for the people who sign in or book a visit at its sites. We process that personal data only on that organisation's documented instructions, to provide the service. If you have visited or booked with such an organisation, it — not us — decides why and how your data is used, so your first point of contact is that organisation.
  • For our own accounts, website and billing, we are a controller. When an administrator creates an account, when you browse this website or use a public booking page, or when an organisation pays for the service, we decide how that data is handled and this policy applies to us directly.

What we collect

Visitor and front-desk data (as a processor, on a customer's instructions):

  • visitor, employee and contractor names, the company they represent, and contact details (email, phone) where collected;
  • sign-in and sign-out times, the host being visited, and the site and reception used;
  • a visitor photo, only where a site enables badge photos;
  • vehicle registration, only where a site enables vehicle-aware sign-in;
  • acknowledgements of NDAs, inductions or permits where a site requires them, and any custom fields a site configures;
  • booking details for scheduled visits, and employee sign-in PINs, which are stored only as a salted hash and never in plain text.

Account and platform data (as a controller):

  • administrator name, work email, role and the sites or organisations they belong to;
  • authentication data handled through our single sign-on provider, and a signed session cookie;
  • billing and subscription details for paying organisations;
  • support correspondence and product-usage and security logs (including a tamper-evident audit log of administrative actions).

Website and booking-page data (as a controller): the information you submit on a public booking page, and basic technical data (such as IP address and request logs) needed to serve the site securely. This site uses no third-party advertising or cross-site tracking scripts.

Why we use it, and our lawful bases

As a controller, we rely on the following lawful bases under UK GDPR:

  • Performance of a contract (Article 6(1)(b)) — to create and run accounts, provide the service and take payment;
  • Legitimate interests (Article 6(1)(f)) — to keep the platform secure, prevent abuse, maintain audit logs, and improve the product, balanced against your interests and rights;
  • Consent (Article 6(1)(a)) — for any optional communications, which you can withdraw at any time;
  • Legal obligation (Article 6(1)(c)) — where we must retain records to meet accounting or other legal duties.

When we act as a processor for visitor data, the lawful basis is the controller organisation's responsibility; we process that data only to deliver the service on its behalf.

Sub-processors

We use a small set of trusted providers to run the service. Each is bound by a data processing agreement and processes data only to provide its part of the platform:

  • Cloudflare — hosting, database, file storage (visitor photos and documents) and email delivery;
  • WorkOS — administrator single sign-on and identity;
  • Twilio — SMS host notifications, only where an organisation enables them;
  • Stripe — subscription billing and card payments for paying organisations.

We will give customers reasonable notice of any change to this list. We do not sell personal data, and we do not share it with anyone for their own marketing.

International transfers

We aim to keep personal data in the UK and EEA. Where a provider processes data outside those areas, the transfer is protected by an appropriate safeguard — typically the UK International Data Transfer Agreement or the EU Standard Contractual Clauses with the UK Addendum.

How long we keep it

Each site sets its own retention period for visitor records, and ReceptionOS deletes them automatically when it expires. A controller organisation can also erase an individual's records on request from the admin portal, which removes the record and its stored photo. Account and billing data is kept for the life of the contract and for any period we are legally required to retain it afterwards.

Security

Every record is scoped to its owning organisation and site, so one customer can never see another's data. Access to public APIs requires scoped keys, stored only as hashes; employee PINs are salted and hashed; administrative actions are written to a tamper-evident audit log. Traffic is encrypted in transit (HTTPS with HSTS), data is encrypted at rest by our hosting provider, and every surface sends a strict content-security policy. No security is perfect, but these are defaults, not add-ons.

Cookies

We use only essential cookies — for example, a signed session cookie that keeps an administrator logged in. We do not use advertising or cross-site tracking cookies, and this site loads no third-party scripts by default.

Your rights

Under UK GDPR you have the right to access your data, to have it corrected or erased, to restrict or object to its processing, to data portability, and to withdraw any consent you have given. To exercise these rights over a visitor or booking record, contact the organisation whose site you visited — it is the controller — and we will support its request as its processor. For data we hold as a controller (your account, this website, billing), email hello@receptionos.co.uk.

GDPR and the data processing agreement

ReceptionOS is built for UK GDPR: per-site retention, data-subject erasure, organisation-scoped access and audit logging are product features. For customers, a data processing agreement (DPA) sets out the processing terms, sub-processors and security measures in full and forms part of your contract with us. To request the current DPA, or for bespoke terms, contact hello@receptionos.co.uk.

Children

ReceptionOS is a workplace tool and is not directed at children. Whether to collect data from anyone under 18 at a site is a decision for the controller organisation, under its own lawful basis.

Changes to this policy

We update this policy as the product changes and will revise the date above when we do. For changes that materially affect how we handle personal data, we will give reasonable notice.

Complaints

We would always like the chance to resolve a concern first, so please contact us. You also have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk or on 0303 123 1113.

This policy is kept current with the product and is reviewed by our advisers; it does not replace the signed agreement or DPA, which take precedence. Last updated 17 June 2026.