Privacy Policy

Last updated: 8 June 2026

NekaID is a UK construction workforce verification and site management platform. This Privacy Policy explains how we collect, use, store, and protect personal data when workers, companies, agencies, and visitors use our service. We are committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who we are

The data controller for personal data processed through NekaID is:

Lyuben Metodiev trading as NekaID
Website: nekaid.co.uk
Email: info@nekaid.co.uk
ICO registration number: ZC135297

2. Who this policy applies to

This policy applies to all users of the NekaID platform, which has three account types:

• Workers (operatives) — construction workers who create a digital passport and manage their own credentials, documents, and personal information.
• Companies (site managers) — businesses and site managers who use NekaID to verify worker credentials, manage site attendance, and send inductions.
• Agencies (labour agencies) — labour hire and staffing agencies who manage a pool of workers, handle placements, and access full worker passport data including sensitive fields where consent has been given.

3. Data we collect from workers

Workers may enter any or all of the following information into their NekaID passport profile:

• Full name
• Email address
• Phone number
• Profile selfie photo (face_photo) — used as a messaging avatar only and not included on the public scan page
• CSCS card photo, card number, expiry date, and verification status
• Trade / job title
• Current employer / company name
• National Insurance (NI) number
• Passport photo page (image of identity document)
• Right to work document photo (passport, BRP, visa, or share code letter) and right to work expiry date
• Qualifications: name, certificate number, expiry date, and certificate photo — multiple qualifications per worker
• Bank details: bank name, account number, and sort code
• Next of kin: full name and phone number (third-party personal data — see section 5)
• Medical information and conditions (optional)
• General notes (optional)
• GPS location at the time of site sign-in, and site attendance records including sign-in and sign-out times and dates
• Push notification subscription endpoint (used to deliver expiry reminders and updates)
• Messages and attachments (photos and PDFs) sent via in-app messaging

4. Data we collect from companies and agencies

When a company or agency creates an account and uses the NekaID platform, we may collect and process:

• Account email address and login credentials
• Account role (company or agency)
• Site name, site address, and GPS coordinates (companies)
• Workforce pool records and placement records (agencies)
• Messages sent to workers via in-app messaging
• Induction content created and sent to workers (companies)

5. Sensitive personal data

The following fields are considered sensitive or special category personal data under UK GDPR. They are entirely voluntary — workers are never required to enter them, and the platform functions fully without them:

• National Insurance number
• Passport photo (image of identity document)
• Right to work document photo
• Bank details (bank name, account number, sort code)
• Medical information
• Next of kin details (which constitute personal data about a third party)

The legal basis for processing these fields is explicit consent. Workers voluntarily enter this information and control who can access it by choosing whether to share their QR code or passport link. Workers may withdraw consent and remove any of these fields at any time via the Edit Passport page.

Where next of kin details are provided, the worker confirms they have the consent of that individual to share their contact information with NekaID and with parties the worker shares their passport with.

6. Who can access worker data — access tiers

NekaID operates a three-tier access model:

• Unauthenticated viewers — anyone with the worker's QR code or public scan link can see the worker's name and CSCS card photo only. No other data is visible.
• Company accounts — authenticated company users can see all work-relevant fields, including: name, profile photo, email, phone, trade, company, NI number, CSCS card number and expiry, right to work expiry and document photo, qualifications, next of kin, medical information, and notes. Company accounts cannot see passport photos or bank details.
• Agency accounts — authenticated agency users have full access to all fields including passport photo and bank details, where the worker has entered them.

Workers control access to their data by choosing whether to share their QR code or passport link. NekaID does not share worker data with any party the worker has not chosen to share with.

7. Legal basis for processing

• Contract performance (Article 6(1)(b) UK GDPR) — processing of core passport fields (name, email, CSCS details, trade, company) is necessary to provide the NekaID service as described.
• Explicit consent (Article 6(1)(a) and Article 9(2)(a) UK GDPR) — processing of sensitive fields including NI number, bank details, passport photo, right to work document photo, medical information, and next of kin details, all of which are voluntarily provided and may be withdrawn at any time.
• Legitimate interests (Article 6(1)(f) UK GDPR) — processing related to push notifications, expiry reminders, in-app messaging, and platform security, where these interests are not overridden by individual rights.
• Legal obligation (Article 6(1)(c) UK GDPR) — processing necessary to support right to work verification in accordance with UK employment law.

8. How and where data is stored

NekaID uses the following data processors, all of which operate under GDPR-compliant data processing agreements:

• Supabase (supabase.com) — database and file storage, EU-hosted. Acts as our primary data processor. Photos and documents are stored in Supabase Storage with Row Level Security policies. Sensitive text fields are encrypted at rest.
• Vercel (vercel.com) — application hosting and serverless functions. GDPR-compliant. Does not store personal data beyond request logs.
• Resend (resend.com) — transactional email delivery including expiry notifications and account confirmation emails. GDPR-compliant.
• Stripe (stripe.com) — payment processing and subscription billing for company and agency accounts. Stripe processes payment card data directly and is PCI-DSS compliant. NekaID does not store payment card details. Stripe's privacy policy is available at stripe.com/gb/privacy.
• Cloudflare (cloudflare.com) — DNS routing. No personal data is stored by Cloudflare in connection with NekaID.

9. Data retention

Personal data is retained for as long as an account remains active or as long as necessary to provide the service.

On account deletion: all personal data is deleted within 30 days. Sensitive fields (NI number, bank details, and passport photo) are deleted immediatelyupon account deletion request.

Some records may be retained beyond this period where required by law, for fraud prevention, or for security and audit purposes.

10. Your rights under UK GDPR

You have the following rights in relation to your personal data:

• Right of access — you may request a copy of the personal data we hold about you.
• Right to rectification — you may correct inaccurate data at any time via the Edit Passport page.
• Right to erasure — you may request deletion of your account and associated data.
• Right to restrict processing — you may request that we limit how we use your data in certain circumstances.
• Right to data portability — you may request your data in a structured, commonly used, machine-readable format.
• Right to withdraw consent — you may remove sensitive fields (NI number, bank details, passport photo, medical info, next of kin) at any time via the Edit Passport page. Withdrawal does not affect the lawfulness of prior processing.
• Right to object — you may object to processing carried out on the basis of legitimate interests.

To exercise any of these rights, contact us at info@nekaid.co.uk. We will respond within 30 days.

11. Cookies and local storage

NekaID uses cookies and browser local storage for authentication sessions, platform functionality, and attendance features. For full details, please see our Cookie Policy.

12. Children

NekaID is intended for use by adults aged 18 and over. It is not directed at children and we do not knowingly collect personal data from anyone under the age of 18. If you believe a minor has created an account, please contact us at info@nekaid.co.uk.

13. Complaints

If you are unhappy with how we handle your personal data, you have the right to complain to the UK Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Phone: 0303 123 1113
• NekaID ICO registration number: ZC135297

14. Changes to this policy

We may update this Privacy Policy as NekaID develops. Material changes will be notified by email to all registered users. The latest version will always be available on this page.

15. Contact

Lyuben Metodiev trading as NekaID
Email: info@nekaid.co.uk
Website: nekaid.co.uk
ICO registration number: ZC135297