1. Who We Are, and Who Is Responsible for Your Data
Vigilant Security Group Ltd (“we”, “us”) operates the SAB 360 workforce management platform. Company registration number: 14306435. Registered office: 106 Ilford Lane, Ilford, England, IG1 2LD. Data protection contact: privacy@sab360.co.uk.
If you are an employee or contractor of Vigilant Security Group Ltd itself, Vigilant Security Group Ltd is the data controller for your personal data processed through SAB 360. If you are an employee or contractor of another company that subscribes to SAB 360 (a “Client Organisation”), your employer is the data controller for your personal data, and Vigilant Security Group Ltd acts as a data processor on your employer's instructions under our Data Processing Agreement.
2. What SAB 360 Is
SAB 360 is a workforce management platform used by security companies to manage shift sign-in/out, rotas, SIA licence and right to work compliance, patrol checkpoints, incident reporting, and policy acknowledgement. Vigilant Security Group Ltd uses SAB 360 for its own workforce, and also makes it available as a subscription service to other security companies. Each Client Organisation's data is kept separate — see Section 5A.
3. What We Collect
- Identity and contact data: name, email, job role, username.
- Employment and shift data: rota, sign-in/out timestamps, site geofence.
- Precise location data: captured only at shift sign-in/out, not continuously.
- SIA licence and right to work documents.
- Photo ID and proof of address.
- Bank details, used solely for payroll.
- Policy acknowledgement records.
- Push notification tokens (where enabled).
- Selfie verification photographs (only where switched on for your account).
- Incident report data and photographs.
- Client portal access details (where your employer grants a client visibility of coverage).
- Billing and subscription data for Client Organisations — card payment itself is handled entirely by Stripe; SAB 360 never stores your full card number.
4. Why We Collect It, and Our Lawful Basis
Processing is carried out under UK GDPR Article 6(1)(b) (performance of your employment contract), Article 6(1)(c) (legal obligations, e.g. the Private Security Industry Act 2001 and the Immigration, Asylum and Nationality Act 2006), and Article 6(1)(f) (our legitimate interests in accurate attendance records, compliance, and site safety). Selfie photographs are ordinary photographs reviewed by a human, not automated facial recognition, and so are not processed as special category biometric data under Article 9.
5. Who We Share It With
We do not sell your data. It may be shared with our hosting provider, Stripe (payment processing for subscriptions), your employer's payroll provider or bank, client organisations you are contracted to (limited to attendance/screening confirmation), and regulators where legally required (e.g. the SIA, the Home Office, HMRC).
5A. How Client Organisations' Data Is Kept Separate
Each Client Organisation's staff records, attendance, documents, incidents, and payroll data are logically isolated and only accessible to that Client Organisation's own administrators and staff. Vigilant Security Group Ltd's platform administrators can see account-level information only (e.g. active status, employee count, billing status) for platform oversight and support — not another company's staff records, documents, payroll, or attendance data.
6. How Long We Keep It
- Right to work evidence: employment + 2 years (Home Office guidance).
- SIA licence records: employment + 12 months.
- Photo ID / proof of address: employment + 6 years.
- Bank details: employment + 6 years, then securely deleted.
- Attendance and location records: 2 years.
- Incident reports: 6 years.
- Billing and subscription records: subscription + 6 years.
- Policy acknowledgements: employment + 6 years.
7. Your Rights
Under UK GDPR you can request a copy of your data, ask us to correct or erase it, object to processing based on legitimate interests, and complain to the Information Commissioner's Office. If your employer is a Client Organisation rather than Vigilant Security Group Ltd, raise the request with your employer first.
8. Security
Data is encrypted in transit (HTTPS/TLS). Each Client Organisation's data is logically separated. Passwords are hashed and never visible to SAB 360 staff. Full payment card numbers are never collected or stored by SAB 360.
9. Children
SAB 360 is for employees and contractors aged 18 and over, consistent with SIA licensing eligibility. It is not directed at children.
10. Changes to This Policy
We may update this policy from time to time; the effective date will be updated and material changes communicated directly.
Related documents
See also our Terms of Service.