This Privacy Policy explains how Scotsman Group ("we", "our", "us") collects, uses and protects personal information about artists, suppliers, staff and other people who use the PR-DJ External Invoicing platform. We are the data controller for the personal data you provide when you sign up for and use the service. We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (PECR).
1. What we collect
- Identity: your name, email address and (optionally) a stage name and social link.
- Profile: the type of service you provide (DJ, live music, quiz, etc.).
- Payment data: bank sort code, account number, account holder name and National Insurance number — held encrypted at rest.
- Contact: telephone numbers and address — held encrypted at rest.
- Activity: bookings, invoices, payments and shifts you submit through the platform.
- Technical: IP address, browser user-agent, and sign-in timestamps (used for security audit).
2. Why we collect it (lawful basis)
- Contract: to manage bookings and pay you for performances you carry out at Scotsman Group venues.
- Legal obligation: for HMRC and National Insurance reporting; for accounting record retention.
- Legitimate interests: to operate, secure and improve the platform, detect fraud, and respond to support requests.
- Consent: for marketing emails (only if you opt in) and for any other use we ask separately about.
3. Who we share it with
- Scotsman Group staff — venue managers, Operations, Finance and HR with the minimum permissions needed to do their job. Bank details are visible only to HR & Payroll (full) and Finance (masked).
- HMRC and payroll providers — for tax and NI reporting.
- Microsoft — your identity is held in Microsoft Entra External ID (Azure UK regions only) for sign-in and password management.
- Other service providers who help us run the platform under written data-processing agreements (e.g. Microsoft Azure for hosting, email delivery providers).
We do not sell personal data. We do not transfer it outside the UK or EEA without an approved transfer mechanism.
4. How long we keep it
- Active accounts: while you remain registered.
- Inactive accounts: deleted automatically after 2 years of inactivity.
- Financial records (invoices, payments): 6 years from the end of the tax year, per HMRC retention rules.
- Audit logs of PII access: 1 year.
- Marketing preferences: kept while your account exists so we honour your last choice.
5. Your rights
Under UK GDPR you have the right to access your data, correct it, delete it (right to erasure), restrict or object to processing, and ask for a portable copy. You can withdraw consent for marketing at any time without affecting your account.
To exercise any of these rights, contact us using the details below. We will respond within one month.
6. Security
We hold all sensitive personal data (bank details, NI numbers, contact details, addresses) encrypted at rest using Azure Key Vault envelope encryption. Access is restricted by role, logged on every read, and reviewed regularly. We follow Microsoft Azure security and PCI-DSS aligned practices for the platform.
7. Contact
Data Protection Officer (DPO): dpo@scotsman.group
Postal address: Scotsman Group, [registered office address]
UK supervisory authority: The Information Commissioner's Office (ICO) — ico.org.uk.
8. Changes to this policy
If we make material changes we'll re-ask for your consent the next time you sign in. Minor changes will appear here with an updated date and version number.
This is a draft. The final wording will be reviewed and approved by Scotsman Group's Data Protection Officer before launch. Last updated 2026-05-22.