Skip to content

Legal centre Acceptable Use Policy

Acceptable Use Policy

Last updated: 19 June 2026

This Acceptable Use Policy (the "Policy") sets out the rules you must follow when accessing or using WagePilot (the "Service"), operated by [Whealbit Ltd OR sole trader - confirm legal entity & status], trading as WagePilot ("WagePilot", "we", "us" or "our"). In this Policy, "you" and "your" mean the customer who has contracted with us (the account holder) and, where the context allows, any person you permit to access the Service. This Policy is incorporated into, and forms part of, our Terms of Service, and it must be read together with our Privacy Policy, our Data Processing Agreement (the "DPA"), our Service Level Agreement (the "SLA"), our sub-processor list and our security information. Capitalised terms not defined here have the meaning given to them in the Terms of Service. If there is a conflict between this Policy and the Terms of Service, the Terms of Service prevail unless they expressly state otherwise; on matters of acceptable use specifically, this Policy prevails over any shorter acceptable-use summary in the Terms.

By creating an account, or by accessing or using the Service, you confirm that you have read and accept this Policy. Where the Service is presented to you with an "I agree" checkbox or similar mechanism at sign-up, your acceptance is recorded against the version of this Policy then in force.

Important terms - please read

Some terms in this Policy are particularly important and may affect your legal rights. Please read them carefully. In particular: section 2 (the Service gives guidance only and we exclude liability for your compliance failures); section 9 (your indemnity to us for certain third-party claims); and section 11 (our right, in defined circumstances, to suspend, restrict or terminate your access, sometimes immediately and without prior notice, and the limits on our liability for doing so).

1. Who this Policy binds

This Policy binds you and everyone to whom you give access to the Service or to your organisation's account, including your owners, administrators, managers, employees, workers, agents and contractors (together, your "Users"). You are responsible for the acts and omissions of all of your Users in connection with the Service as if they were your own, and you must ensure that every User complies with this Policy. You must not allow anyone who is not a permitted User to access the Service through your account, and you must keep login credentials, kiosk PINs and device exit codes confidential.

If you are an individual using the Service wholly or mainly outside your trade, business, craft or profession, you may be a "consumer". Where you are a consumer, this Policy still applies to you, but the consequences we may apply (in particular suspension and termination), and any indemnity or liability limit, will be applied proportionately and will not override your statutory rights, as described in sections 9, 11 and 14 and in the Terms of Service.

2. General obligation of lawful use; guidance only; no warranty

You must use the Service only for lawful purposes, in accordance with this Policy, the Terms of Service and all applicable laws and regulations, including (without limitation) data-protection law, employment law, the Working Time Regulations 1998, the National Minimum Wage and National Living Wage rules, equality and anti-discrimination law, and the Privacy and Electronic Communications Regulations 2003 ("PECR"). You are solely responsible for your own and your Users' compliance with the laws that apply to you, including how you use any outputs of the Service in your payroll, pay, scheduling or employment decisions.

Scope reminder. WagePilot is a time and attendance, rota, holiday and labour-cost tool. It is not a payroll provider, does not calculate tax, National Insurance or net pay, and does not move money. Its National Minimum Wage / National Living Wage ("NMW/NLW") checks and its Working Time Regulations break tracking are provided as guidance only and are not legal, payroll, tax or employment advice. You must not rely on the Service as a substitute for professional advice or for your own legal compliance.

No warranty on guidance; exclusion of related liability. The Service is provided without any warranty that its NMW/NLW or Working Time guidance, calculations or outputs are accurate, complete or current. To the fullest extent permitted by law, we exclude all liability for any underpayment, overpayment, penalty, fine, back-pay award, interest, or regulatory, HMRC or tribunal action arising from your reliance on the Service or its outputs, or from your own pay, scheduling or employment decisions. This exclusion is subject to the non-excludable carve-outs in section 11 and the liability provisions of the Terms of Service: nothing in this Policy excludes or limits our liability for death or personal injury caused by our negligence, for fraud or fraudulent misrepresentation, or for any other liability that cannot lawfully be excluded or limited under the Unfair Contract Terms Act 1977 or, where you are a consumer, the Consumer Rights Act 2015.

3. Prohibited content and conduct

You must not use the Service (including its data fields, file uploads, profile fields, notes and the in-app messaging feature) to create, store, upload, transmit, distribute, link to or otherwise make available any content, or to engage in any conduct, that:

  • is unlawful, or that infringes or misappropriates any third party's intellectual-property rights, trade secrets, privacy rights or other rights;
  • is defamatory, libellous, knowingly false, deceptive or fraudulent;
  • is harassing, threatening, abusive, bullying, hateful, discriminatory or that incites violence or hatred against any person or group, including on the basis of any protected characteristic;
  • is obscene, pornographic, sexually explicit, or otherwise indecent;
  • exploits or endangers children or any vulnerable person;
  • contains or distributes viruses, worms, trojans, ransomware, spyware or any other malicious code, or that is designed to disable, damage, interfere with or impair any software, hardware, system, network or data;
  • constitutes spam, unsolicited or unauthorised advertising, promotional material, "phishing" or other deceptive messaging; or
  • impersonates any person or entity, or misrepresents your affiliation with any person or entity.

You are responsible for all content that you and your Users submit to the Service ("Customer Content"), for its accuracy, and for having all rights and lawful bases necessary to submit and process it.

4. Security and integrity of the Service

You must not, and must not permit any User or third party to:

  • access or attempt to access any account, organisation, data, system or network that you are not authorised to access, or use another person's credentials;
  • probe, scan, port-scan, test the vulnerability of, or breach or circumvent any authentication, security or access-control measure of the Service or its underlying infrastructure;
  • conduct any penetration test, load test, stress test, vulnerability assessment or red-team exercise (meaning any simulated attack or adversarial security exercise) against the Service without our prior express written consent;
  • introduce, upload or transmit any malicious code, or interfere with or disrupt the integrity, performance or availability of the Service or the data it contains;
  • scrape, crawl, harvest, data-mine or use any automated means to extract data from the Service except through interfaces and export tools we expressly provide;
  • decompile, disassemble, reverse engineer or otherwise attempt to derive the source code, underlying ideas, algorithms or structure of the Service, except to the extent such acts are permitted by sections 50A to 50C of the Copyright, Designs and Patents Act 1988 (back-up copies; observing, studying and testing the program; and decompilation necessary to achieve interoperability) or by any other right that cannot lawfully be restricted, which rights are not excluded by this Policy;
  • circumvent, disable or interfere with any usage limit, plan limit, rate limit, metering, geofence, kiosk lock or other technical restriction of the Service;
  • impose an unreasonable or disproportionately large load on, or otherwise overload or flood, the Service or its infrastructure; or
  • use the Service to develop, train or benchmark a competing product or service.

Responsible disclosure. You must promptly notify us if you discover any actual or suspected security vulnerability, unauthorised access, or breach affecting the Service, using our security contact at [security / abuse contact email - confirm] (and see /security). So that we can protect other customers, you must not exploit, publicise or share any such vulnerability before we have had a reasonable opportunity to address it - for at least 90 days, or until we confirm a fix is deployed, whichever is earlier. Provided you act in good faith, comply with this section and give us that reasonable opportunity to remediate, we will not pursue claims against you for the act of testing or reporting under that disclosure. Nothing in this section restricts any disclosure that is required or protected by law, including a protected disclosure under the Public Interest Disclosure Act 1998 (whistleblowing).

5. Data-protection and privacy rules

Roles. In respect of the personal data of your workers and other staff that you enter into the Service for time-and-attendance purposes, you (the organisation) are the data controller and we act as your data processor; our respective obligations are set out in the DPA, which you must comply with and which governs our processing of that data under Article 28 of the UK GDPR. Separately, for the personal data of the account holder and administrators (account, billing, login, usage, security and analytics data), and for marketing-site visitors, we act as an independent controller and process that data under our Privacy Policy. We may also act as an independent controller for limited purposes such as service security, fraud prevention, billing and service improvement, as described in the Privacy Policy.

As a condition of your use of the Service, you must:

  • have a valid lawful basis under the UK GDPR for processing each category of personal data you add to the Service, and (for any special-category data) an appropriate Article 9 condition (typically Article 9(2)(b) employment, via Schedule 1 Part 1 of the Data Protection Act 2018);
  • provide all privacy notices and information, and obtain any consents or authorisations, required by law before you add any worker or other individual to the Service, including informing them about clock-in/out location capture and any kiosk photo capture;
  • ensure that the personal data you enter is accurate, relevant and not excessive, and keep it up to date;
  • use clock-in/out location data and kiosk photos only to verify the specific time and attendance event to which they relate, and for no other purpose; you must not use them for continuous tracking, covert monitoring, general surveillance, performance profiling unrelated to attendance, or any purpose beyond verifying that specific clock event;
  • minimise special-category data: in particular, avoid entering health detail in free-text leave, absence or notes fields beyond what is strictly necessary, since absence and leave reasons can reveal health information; and
  • respond to your workers' data-subject requests as the controller, and not represent to any individual that WagePilot is the controller of their staff data.

How we process staff data. Where the staff data you enter includes special-category data (for example health implied by sickness or absence), we will process it strictly on your documented instructions and within your Article 9 condition, as set out in the DPA. The Service is currently designed to capture location only at the moment of clock-in and clock-out (never continuously), to capture a kiosk photo only where you have enabled that feature and at the clock event, and, where a precise location check is not possible, to use a QR-code clock-in as a fallback; please check /security and the Privacy Policy for the current behaviour. You must not configure or use the Service in a way that misleads workers about this, or that uses these features for purposes they were not told about.

Workplace monitoring. Capturing location and photographs at the clock event is a form of workplace monitoring. As controller, you are responsible for assessing whether a Data Protection Impact Assessment is required and for identifying the correct lawful basis (which, given the imbalance of power in employment, is typically legitimate interests supported by a balancing test rather than consent), in line with ICO guidance on monitoring workers.

International transfers. Personal data in the Service is hosted in the [UK and/or EEA region - confirm exact region]. Transfers from the UK to the EEA rely on the UK's adequacy regulations. Where any sub-processor processes personal data outside the UK and EEA (for example payment processing that may involve the United States), we rely on the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses, together with a transfer risk assessment, as recorded in the DPA and our sub-processor list.

6. Fair use, volume and rate limits

The Service is provided subject to fair-use principles and to the plan limits, volume limits and rate limits applicable to your subscription tier, as set out on our pricing page or limits schedule ([plan / volume / rate limits per tier - confirm or link to limits schedule]). "Fair use" means use that is consistent with normal time-and-attendance operation for an organisation of your size and tier and that does not impose a disproportionate burden on the Service or other customers. You must not exceed those limits, evade metering, or use the Service in a way that is excessive, abusive or that materially degrades the experience of other customers. We may apply reasonable technical limits (for example on request rates, storage, message volume, exports or numbers of sites or Users) and may take proportionate steps to protect the stability and security of the Service. We will give reasonable notice of any new or changed limit where practicable, except where immediate action is needed to protect the Service or comply with the law. Availability and any action we take under this section are subject to the SLA and to the force majeure provisions of the Terms of Service.

7. Acceptable use of the messaging feature

The in-app staff messaging feature is provided for legitimate, work-related and operational communication between you and your Users. It is not a marketing channel. You must not use it to send unlawful, infringing, defamatory, harassing, discriminatory, obscene or otherwise prohibited messages (as described in section 3), to send spam or bulk unsolicited messages, to distribute malware or malicious links, or to send marketing or commercial messages in breach of PECR or other applicable law. You are responsible for the content of all messages sent through your account and for ensuring your messaging complies with employment and data-protection law.

For clarity, our own service and transactional communications to you (for example account, login-provisioning, credential, billing and security emails) are necessary to operate the Service and are not direct marketing under regulation 22 of PECR. Any direct marketing we send to account holders is sent in accordance with PECR and our Privacy Policy.

8. No resale or unauthorised commercial exploitation

Unless we have agreed otherwise in writing, you must not resell, sublicense, rent, lease, lend, time-share, host as a service bureau (that is, operate the Service to process the data of third parties as a commercial service), distribute or otherwise make the Service available to, or use it for the benefit of, any third party other than your own permitted Users for your own internal business purposes. You must not remove, obscure or alter any proprietary notices, branding or attributions, except where white-label or branding features are made available to your subscription tier and used in accordance with our instructions.

9. Your responsibility and indemnity

You are responsible for ensuring that you and your Users comply with this Policy. To the extent permitted by law, you agree to indemnify us against losses, damages, liabilities, and reasonable and properly incurred costs and expenses (including reasonable legal fees) that we incur as a result of third-party claims (including claims by your Users, workers, or by a regulator acting on behalf of, or in respect of, such individuals) to the extent arising from: (a) your or your Users' breach of this Policy; (b) your unlawful or non-compliant processing of personal data through the Service, or your failure to have a lawful basis or to give required notices; or (c) Customer Content that infringes a third party's rights or breaches applicable law.

This indemnity is subject to the following conditions and limits:

  • we will promptly notify you in writing of any claim for which we seek indemnity, and will not admit liability or settle it without your prior written consent (not to be unreasonably withheld or delayed);
  • we will give you the conduct of the defence and settlement of the claim if you so request and confirm in writing that the claim is covered by this indemnity, and we will provide reasonable cooperation at your cost;
  • we will take reasonable steps to mitigate our loss;
  • the amount you must indemnify will be reduced proportionately to the extent that our own act, omission, breach or negligence caused or contributed to the loss; and
  • this indemnity does not extend to any fine, penalty or sanction imposed on us for our own non-compliance, and nothing in it requires you to indemnify us for any liability that cannot lawfully be transferred or excluded.

Whether the amounts payable under this indemnity sit within, or outside, the aggregate liability cap in the Terms of Service is determined by the Terms of Service, which you should read together with this section. If you are a consumer, this indemnity does not apply to you to the extent it would not be fair or binding under the Consumer Rights Act 2015; your liability as a consumer is limited to what the general law allows.

10. Reporting abuse or violations

If you become aware of any actual or suspected breach of this Policy, any misuse of the Service, any security vulnerability, or any unlawful or harmful content, please report it promptly: security and vulnerability matters to [security / abuse contact email - confirm], and data-protection or privacy matters to [data protection / privacy contact email - confirm] (or such other contact address as we publish at [the domain wagepilot.co.uk and any contact email are provisional - confirm]). Please include enough detail for us to identify and investigate the issue. We will handle reports in accordance with our Privacy Policy and applicable law.

11. Consequences of breach

If we reasonably consider, on reasonable grounds, that you or any of your Users have breached this Policy, or that your use of the Service poses a genuine security, legal or operational risk, we may take any one or more of the following actions, acting reasonably and proportionately to the breach or risk:

  • issue a warning and require you to remedy the breach;
  • remove, disable access to, or quarantine offending Customer Content or messages;
  • suspend your or any User's access to all or part of the Service;
  • terminate your account or subscription in accordance with the Terms of Service; and
  • report the matter to law-enforcement or regulatory authorities, and cooperate with them, where we are required to do so by law or reasonably consider it necessary.

Where practicable, we will give you notice before suspending or restricting your access and an opportunity to remedy the breach. However, we may act immediately and without prior notice only where: (a) the breach involves illegal activity; (b) there is a material threat to the security, integrity or availability of the Service or to other customers' data; (c) we are required to act by law or by a regulator; or (d) your account is in non-payment beyond any applicable cure period. Where we act without prior notice, we will notify you promptly afterwards, give our reasons, and provide a route for you to respond or appeal. We will restore access promptly once we are reasonably satisfied the issue is resolved.

To the extent permitted by law, we will not be liable for losses arising from any action reasonably and proportionately taken in accordance with this section, provided we acted in good faith and on reasonable grounds. This does not exclude or limit: (i) liability for death or personal injury caused by our negligence, for fraud or fraudulent misrepresentation, or for any other liability that cannot lawfully be excluded or limited; (ii) any service-credit or other remedy available to you under the SLA; or (iii) our liability where the suspension, restriction or termination was not in fact justified. If you are a consumer, any suspension or termination will be applied fairly, this exclusion will not apply where the action was not justified, and your non-excludable statutory rights are unaffected; where a suspension of a consumer's access was unjustified, you may terminate and obtain a pro-rata refund of any prepaid fees for the unused period. Suspension or termination does not relieve you of fees accrued up to the effective date, save where a refund is required by law or the Terms of Service (see the Terms of Service for the refund position).

12. Changes to this Policy

We may update this Policy from time to time, for example to reflect new features, changes to the law, or new security or abuse risks. Where a change adversely affects you, we will give you reasonable advance notice (by email or in-app) before it takes effect, together with the reason for the change. You may terminate your subscription without penalty before the change takes effect, and obtain a pro-rata refund of any prepaid fees for the unused period, if you do not accept the change. For genuinely onerous changes (for example a material expansion of the indemnity in section 9), we will ask you to accept the updated Policy by an affirmative action rather than relying on continued use. For other changes, your continued use of the Service after the change takes effect means you accept the updated Policy. Changes do not apply retroactively to liabilities or rights already accrued. We keep dated versions of this Policy; the "last updated" date below ([last updated date - confirm]) shows when it was last revised.

13. Relationship to other documents and third-party rights

This Policy supplements, and does not replace, the Terms of Service, the Privacy Policy, the DPA and the SLA, and should be read with our sub-processor list, cookie policy and security information. The Service depends on third-party providers (including our database, authentication and storage host, our hosting and serverless-function provider, our payment processor and our transactional-email provider, as listed in the sub-processor list). Changes to sub-processors are handled in accordance with the DPA. To the extent permitted by law and subject to the SLA, the Terms of Service and the non-excludable carve-outs referred to in sections 2 and 11, we are not liable for the failure, suspension, or acts or omissions of third-party providers to the extent beyond our reasonable control, which are addressed by the force majeure provisions of the Terms of Service. Except as expressly provided, a person who is not a party to the Terms of Service (of which this Policy forms part) has no right under the Contracts (Rights of Third Parties) Act 1999 to enforce any of its terms.

14. Governing law and jurisdiction

This Policy and any dispute or claim arising out of or in connection with it are governed by the law of England and Wales, and are subject to the dispute-resolution and jurisdiction provisions of the Terms of Service. Any arbitration or class-action-waiver provision in the Terms of Service applies only to business customers and does not bind a consumer; a consumer is not required to submit to mandatory pre-dispute binding arbitration and retains the right to bring proceedings in their home UK courts. Nothing in this Policy deprives a consumer of the protection of the mandatory rules of the law of their place of residence.

15. Contact

Questions about this Policy can be sent to [data protection / privacy contact email - confirm], or by post to [registered office / trading address]. WagePilot is operated by [Whealbit Ltd OR sole trader - confirm legal entity & status], company registration number [company registration number if a company], ICO registration reference [ICO registration reference], VAT number [VAT number if VAT-registered].

Flat £10/mo · unlimited staff

Free forever on one site · no card · cancel anytime

Start free