Privacy Policy

Last updated: 1 July 2026

This document was last updated on 1 July 2026 and is subject to change. Please check back regularly.

This Privacy Policy explains how PayMyReps (“we”, “us”, or “our”) collects, uses, and protects your personal data when you use our commission calculation platform. We’re a UK-based company and we take data protection seriously — so we’ve written this in plain English.

1. Who we are

PayMyReps is a software-as-a-service platform that helps sales teams calculate, verify, and distribute commission payments. We are based in the United Kingdom and operate as a data processor under UK GDPR — meaning we process personal data on behalf of our business customers (the data controllers). Our customers are responsible for determining why and how personal data is processed through our platform.

For the purposes of managing your PayMyReps account (your email address, login activity, and billing), we act as a data controller in our own right.

2. What data we collect

We collect and process the following categories of data:

Account data (controller role)

  • Your work email address
  • Your display name (optional, self-provided)
  • The date and time you created your account and last signed in
  • The date you accepted our Terms of Service, Privacy Policy, and DPA
  • Your subscription tier

Commission run data (processor role — uploaded by you)

  • Your sales representatives’ names
  • Your sales representatives’ email addresses (optional — only if you provide them for statement delivery)
  • Sales figures, deal counts, and commission amounts associated with each representative
  • Any targets, product categories, or deal identifiers you include in your uploaded CSV

Usage data

  • Standard web server logs (IP address, browser type, pages visited) retained for security purposes

3. Why we process your data and on what legal basis

To provide the service (contract performance):We process your account data and commission run data to deliver the features you’ve subscribed to — calculating commissions, generating statements, and maintaining run history.

Compliance and audit (legitimate interests): We retain commission run data for up to 2 years to allow you and your organisation to audit past payroll decisions. This is proportionate to the legitimate business need for payroll audit trails.

Legal obligations: We may retain certain records where required by applicable UK law.

4. How we use your data

  • To authenticate you and maintain your account
  • To calculate commission outputs based on the rules and data you configure
  • To send commission statements to your sales representatives (via Resend, our email delivery provider — see sub-processors below)
  • To store your run history so you can audit past periods
  • To contact you with important service announcements (we do not send marketing email without separate consent)

5. Sub-processors

We use the following third-party sub-processors to deliver our service. Each is bound by a data processing agreement and complies with UK GDPR requirements:

  • Supabase / Neon — Database hosting. Your commission data and account records are stored in a PostgreSQL database hosted on Supabase or Neon infrastructure. Servers are located in the EU.
  • Resend— Transactional email delivery. When you send commission statements to your representatives, those emails are delivered via Resend. Resend processes your representatives’ email addresses only for the purpose of delivery.
  • Vercel— Application hosting and edge infrastructure. Our web application runs on Vercel’s platform. Vercel may process request data (including IP addresses) as part of serving the application.

We will notify you of any changes to our sub-processor list by updating this page and, for material changes, by email.

6. Data retention

  • Commission run data — We retain finalized run data (including rep names, sales figures, and commission amounts) for up to 2 years from the date of the run, to support audit requirements.
  • Account data — Retained for the duration of your subscription and for up to 90 days after account closure, after which it is permanently deleted.
  • Email delivery logs — Retained by Resend for a short period per their own retention policy.

7. Data transfers

Our sub-processors may store or process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place — such as the UK International Data Transfer Agreement (IDTA) or adequacy decisions — in line with UK GDPR requirements.

8. Your rights under UK GDPR

As a UK data subject, you have the following rights:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Ask us to correct inaccurate data
  • Erasure: Request deletion of your data (subject to our retention obligations)
  • Restriction: Ask us to limit how we use your data
  • Portability: Receive your data in a machine-readable format
  • Objection: Object to processing based on legitimate interests

To exercise any of these rights, email us at support@paymyreps.com. We will respond within 30 days.

You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk.

9. Account deletion

If you wish to close your account and have your data deleted, contact us at support@paymyreps.com. We will delete your account data within 30 days of your request. Commission run data may be retained for the duration of our 2-year audit retention period before being permanently deleted.

10. Cookies

PayMyReps uses only strictly necessary cookies — specifically a session cookie to keep you signed in. We do not use advertising cookies, analytics cookies, or any third-party tracking technology.

11. Changes to this policy

We may update this policy from time to time. We will notify you of material changes by email or by displaying a notice in the application. The “last updated” date at the top of this page always reflects the most recent version.

12. Contact

For any privacy-related questions or to exercise your rights, contact us at: support@paymyreps.com