Privacy Notice

Privacy Notice

Last updated September 2023

We take data protection seriously and this Privacy Notice explains how we use any personal information we collect about you.

Who are we?

PayStream Accounting Services t/a Tifo is a subsidiary company of the PayStream My Max Holdings group. PayStream Accounting Services Limited is also the company that employs all its internal staff to administer our Tifo software services.  All companies part of the PayStream group of companies, we refer to as ‘us,’ ‘we’ and ’Tifo’ in this Privacy Notice. 

Source of personal data

You, your agency and/or your end client may provide personal information to us in order for onboarding checks, as determined by your client and/or agency, to be carried out.  Typically, personal information is provided to Tifo via our web-portal (we will refer to throughout this Privacy Notice as ‘the portal’), though this may also in some instance be provided via email, over the phone or by post.   We endeavour to keep safe any personal information that we collect, however this is provided.  

What personal information we need and why we need it

As above, we need your personal information for us to discharge our contractual duties and for our legitimate interests and to carry out onboarding checks as required by your agency and/or end client. During your client’s onboarding process and in some instances throughout your employment or engagement with the agency and/or client, the agency or client may request that we collect personal information about you which is relevant to the checks required for your role (or prospective role) including but not limited to:

  • Personal details, including name, address, nationality, gender, date of birth, bank details and National Insurance (NI) number;
  • Contact details and preferences, including mobile, home and work phone numbers (where applicable);
  • Legal requirements relating to your right to work in the UK;
  • Start and termination of employment dates and assignment information;
  • Health information;
  • Data pertaining to (but not limited to) criminal records, financial history, work history etc. may be processed as part of onboarding processes and/or, where necessary, in the course of employment to verify that candidates are suitable for employment or continued employment and to comply with legal and regulatory obligations to which Tifo is subject);
  • All incoming and outgoing emails that you send to us from a known email address are recorded for quality, audit and training purposes; 
  • If you visit our website/portal, we collect information about the Internet Protocol (IP) address of your device used to access the site. This helps us to monitor the level of activity and service we provide. You can find more information about this on our website.

In some cases, your agency and/or client may have passed on your name and contact details so that we can contact you in respect of the onboarding checks. Alternatively, you may have provided the details to us directly, either via our website or otherwise. In order for you to be onboarded as quickly as possible, we may email you reminders to complete the relevant checks and/or otherwise, to encourage you to complete the checks.

Whilst your agency/client’s site is live, we will hold your personal information, for the purposes of our legitimate interests, in accordance with the retention schedule determined by your agency or client as applicable.  Once your agency/client’s site is shut down, data will be hard deleted within 60 days.

We hold your personal information securely to comply with our contractual obligations, to respond to any queries from recruitment businesses in respect of our Comply services and for additional checks which may be required to be carried out easily.

How will we use the information about you?

There are different reasons why we collect, store and use the information we hold about you. These are:

For the performance of a contract:

  • We can carry out checks on your identity, right to work, work history/ references, financial history, criminal record, company directorship, driving license and media / social media activity.  Depending on the types of checks requested by your agency and/or client we may use external databases to do this. For more information, please see the ‘Who else sees your information?’ section.
  • We need to fulfil our contractual obligations and in order to do so we may need to share your information with the agency or client.  This may include exchanging personal information gathered from you, results of the checks carried out via Tifo and your documentation if it is necessary to fulfil our contract.
  • Where an agency or client has requested that we conduct a right to work check, we may require a passport, or other proof of right to work document.  Where such documents do not grant the right to work in the UK, we may need to ask for further documentation to support the check. In respect of your entitlement to work in the UK, if you have a right to work document that is capable of being checked via the Government’s online service (such as a Biometric Residence Permit), then we will use the relevant details from the document to check your right to work via the online service if so required by your agency and/or end client. Where you have an outstanding appeal or application with the Home Office, an Application Registration Card or a Certificate of Application, then we will check it using the Government’s Employer Checking Service.  For more information, see the ‘Who else sees your information?’ section below.   We will treat your right to work documentation with upmost care and provide it with appropriate safeguards for your fundamental rights and interests.

Our legitimate interests:

  • We may, for instance, ask you to participate in surveys, although this will be voluntary. We use surveys, reviews and marketing tools to get your feedback and make continuous improvements to Tifo.
  • The website and portal uses cookies to help provide you with the best experience we can. Cookies are small text files that are placed on your computer or mobile phone when you browse websites.  For more information see here:    

Who else sees your information?

In certain circumstances, we may need to share your information with others. With whom we share your information and the reasons behind this are as follows: 

  • We may disclose or share your personal information if we are under a duty to in order to comply with any legal obligation, in order to enforce or apply the terms of our contract, terms of use or other agreements, or, to protect the rights, property, or safety of Tifo, our employees, customers or others.  This includes (though is not necessarily limited to), exchanging information with other companies and organisations for the purposes of the detection and prevention of crime (including financial crime and fraud), credit risk reduction, our insurance broker (Marsh Ltd. t/a Marsh Commercial, registered at 1 Tower Place West, Tower Place, London, EC3R 5BU) and insurance underwriters, our debt collection agency and a tracing service from Global Investigations Limited. 
  • To comply with our contractual and/or legal obligations, we may also disclose your personal information to any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
  • We will need to share information with your recruitment business or an end client in order to demonstrate our compliance and/or in order to fulfil our contractual commitments with them.  We may be required for instance to share details on your right to work documents and/or other onboarding check results to the recruitment business or end client.  In addition, in order to demonstrate our compliance, we may also need to disclose or share your personal information in order to comply with requests for information that we receive from time to time from external auditors (such as ISO for example).  Where we do disclose personal information either to external auditors, a recruitment business or end client for such purposes, we will do this securely where possible so as to reduce the likelihood of any data breach.    
  • Sterling Risq (for international background checking). Information is sent to Sterling Risq, and Sterling Risq will then perform international background checks and return the results to Tifo. These international background checks may include but not be limited to criminal / civil history, financial history, directorship, eligibility to work depending on your agency or their end client’s requirements.
  • If a Right to Work check is requested by your agency and/or end client we will run a check to ensure you have the right to work in the UK and we will use information (including personal information) in your entitlement to work documents to carry out relevant checks.  Depending on the documentation provided, this may include transferring personal information to the website to check the validity of a document ,  use of the employer checking service ( or respectively as, as above, in certain circumstances use of GB Group’s ID checking services.
  • We may share your information with the recruitment business or other intermediary for which we hold a contract for the provision of your services for the purposes of compliance with the contract or any other legal obligation.
  • In the event that we sell or buy any business or assets, we may disclose your personal information to the prospective seller or buyer of such business or assets. If Tifo or substantially all of its assets are acquired by a third party, personal information held by it will be one of the transferred assets.
  • We use Mimecast UK Limited to sanitise, secure and archive all inbound, internal and outbound emails. All emails undergo various best practices checks / processes and the content is scanned for malicious content / markers.
  • We use Shred-IT Limited for document destruction services. They help ensure that client, employee and confidential business information is kept secure at all times. Visit for more information.
  • We use Microsoft Azure to hosts our sites, including the databases, logging and usage statistics. This service also hosts the services that let us integrate with other CRMs. Data sent includes Anonymised usage data and logging of actions and errors.  All documents will be stored in UK data centres and encrypted at rest. Sensitive documents will also have additional encryption. Visit for more information.
  • An external company, Trustpilot A/S (“Trustpilot”), may contact you via email to invite you to review any services and/or products you received from us.  We use Trustpilot to collect your feedback which means that we will share your name, email address and reference number with Trustpilot in order to collect your feedback and improve our services and products. If you want to read more about how Trustpilot process your data, you can find their Privacy Policy here. Tifo may also use such reviews in other promotional material and media for our advertising and promotional purposes.
  • We use an external supplier, Ruler Analytics, who provide Marketing Analytics Software to us via the use of a tracking cookie on our website. The processing involves matching data (such as your name, email address or telephone number) with data that Ruler Analytics gather and store via the tracking cookie.  The purpose of this processing is for Marketing Analysis to allow Tifo to attribute generated revenue to each website channel. If you want to read more about how Ruler Analytics process your data, a copy of their GDPR Policy and IT Security policy can be provided to you on request.
  • Whenever you use the portal there is certain information that always gets recorded automatically. The type of information we may collect includes information about the device you are using, what operating system you are using, device settings, unique device identifiers and crash data (data analytics). What type of information we collect depends on the type of device you are using. To learn more about what information your device makes available to us, please also check the policies of your device manufacturer or software provider.
  • We use Companies House to validate UK company information and that the contractor’s details of their company match up with their directorship. This requires the Company registration number, company name, full name and date of birth of the company officer.
  • We use DotDigital to allows Tifo to send text messages from within Tifo, or as part of other actions.  The data required for these purposes includes the receiving phone number, and any information contained in the text message.
  • We will from time to time use DocuSign and/or EchoSign to allow users to digitally sign and date a document.  Data required may include, but is not necessarily limited to the email address, full name of recipient, name of the document to be signed, the document data, the document extension and a list of tags to be merged with fields. These tags include personal information, contact information, the client on the case, limited company information, bank account, next of kin, electricity account, international passport, birth information, references, custom form data, adverse financial information, compliance case information, online disclosures information and international sanctions.
  • We may use the HMRC site to validate VAT information for UK companies by passing in a VAT registration number and returning that companies details, to make sure that they match up.
  • We may use HMTL to PDF, which is a self-hosted service which converts HTML pages to a PDF document which can be downloaded by the end user. It is used to generate audit reports, timesheets and invoices.  This includes all the data on the audit report, timesheet or invoice. For the audit report, this includes personal information, case information and the information on each step. For timesheets, this includes assignment data. For invoices, this includes bank account and address information.
  • We may use ip-api to look up the geographical location of a user based on their IP address.
  • We may from time to time use PrizmDoc which is a self-hosted service that displays documents in a viewer, adds form elements on top of existing documents and allows users to fill in form data, and then “burn” the data into a final document. If we do, then this will involve sharing the document which is being viewed or turned into a form.
  • Postcode Anywhere is used from time to time to return valid addresses based on incomplete search terms, such as company name, postcode or first line of an address.  This involves sharing a search term, usually a postcode.
  • SendGrid sends emails from within Tifo, or as part of other actions, such as notifying users when the status of a case changes. This involves the email address of the recipient(s), any attachments, the subject line and the content of the email.
  • VIES   Use: Validates VAT information for non-UK companies by passing in a VAT registration number and a country. Returns the company’s details, to make sure they match up requiring a company registration number and a country code.

Your rights

You have a number of rights in respect of your personal information. You have the right to request a copy of the information that we hold about you. If you would like a copy of some or all of your personal information, please email

We want to make sure that your personal information is accurate and up to date. Please ask us to correct or remove information you think is inaccurate. We will only use your personal information as we have described in this Privacy Notice, but, in the unlikely event that we need to use it in a different way, we will provide you with an updated Privacy Notice.

Where we have based our processing on our legitimate interests, you do have the right to object to the processing or restrict us processing your information in this way. In this case, we will need to demonstrate to you that our legitimate interests are sufficiently compelling to override your interests or rights, or that purpose is to establish or defend legal claims.

You have the right to erasure, although this does not provide an absolute ‘right to be forgotten’ and applies only in these specific circumstances: where your personal information is no longer necessary in relation to the purpose for which it was originally collected/processed, you withdraw consent, you object to the processing and there is no overriding legitimate interest for continuing the processing, we unlawfully processed your personal information and, where your personal information has to be erased in order to comply with a legal obligation.

Where we have based our processing on the performance of a contract, you will have the right to receive this information from us in a structured, commonly used way and have the right to send this to someone else.

If you are unhappy with the way we use your personal information, you can make a complaint to us directly or to the Information Commissioner’s Office (ICO). You can visit this website:

Changes to our Privacy Notice

We keep our Privacy Notice under regular review and should we change it, we will provide you with an updated copy.

How to contact us

If you have any questions about our Privacy Notice or the information we hold about you, please contact or write to F.A.O. PayStream t/a

Mansion House,
Manchester Road,
WA14 4RW. 

Our Data Protection Officer can be reached at the same address, or by email to .