Privacy Policy

Last updated: 25 May 2026

1. Who we are and how to contact us

"Public Sector Sponsorship" (the "Service", "we", "us", "our") operates publicsectorsponsorship.co.uk. The Service helps users find UK government, NHS, and other public sector jobs that offer Skilled Worker visa sponsorship, and assists with related application materials. We are the data controller for the personal data we process about our users.

We are independent and not affiliated with the UK Government, NHS, Civil Service, or any local authority.

Privacy contact: privacy@publicsectorsponsorship.co.uk. Please use this address for any data-protection request (access, deletion, correction, objection, portability, or to report a suspected breach). For general questions you can also use our contact page.

ICO registration: our registration with the UK Information Commissioner's Office (ICO) as a data controller is in progress. The reference number will be added here once issued.

Data Protection Officer: we are not required to appoint a statutory DPO under UK GDPR Art. 37. The privacy email above is the single point of contact for all data-protection matters.

2. Data we collect

We collect the following categories of personal data:

  • Account data: name, email address, password (stored only as a bcrypt hash), phone number (optional), country of residence, current visa status, and whether you need sponsorship.
  • Career profile data: work experience, qualifications, certificates, professional registrations (e.g. NMC, GMC), personal statement content, target roles, bands, specialties, preferred locations, and salary expectations.
  • Application activity: jobs you save, jobs you mark as applied, notes, and AI-generated documents (cover letters, supporting statements, CV tailoring).
  • Billing data: subscription tier, billing status, and Stripe customer/subscription identifiers. Card numbers and bank details are processed directly by Stripe and are never stored on our servers.
  • Technical and usage data: IP address, browser/device information, session identifier, pages viewed, referrer, and timestamps — collected automatically for analytics, security, and abuse prevention.
  • Support correspondence: any messages you send us via email or the contact form.
  • Cookies and similar identifiers: see section 13.

We do not knowingly collect special category data (health, religion, political views, etc.). Please do not include such information in free-text fields (e.g. personal statements) unless it is necessary for the job application.

3. How we use your data

We process personal data to:

  • Provide and operate the Service (account, search, saved jobs, applications).
  • Generate tailored application documents using AI based on your profile and the job you select.
  • Process payments and manage subscriptions through Stripe.
  • Send transactional emails (account verification, password reset, billing receipts, subscription notices). We do not currently send marketing emails.
  • Maintain the security of the Service, prevent fraud and abuse, and debug issues.
  • Produce aggregated, non-identifying analytics to improve the Service.
  • Comply with legal, accounting, and tax obligations.

4. Legal bases (UK GDPR Art. 6)

  • Contract (Art. 6(1)(b)): creating your account, operating the Service, generating AI documents you request, processing your payment.
  • Legitimate interests (Art. 6(1)(f)): securing the Service, preventing fraud and abuse, basic product analytics, and responding to your support requests. We have balanced these interests against your rights; you may object at any time (see section 10).
  • Consent (Art. 6(1)(a)): non-essential cookies (see section 13) and any future marketing communications. You can withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)): retaining billing records for UK tax law, responding to lawful requests from authorities.

5. AI processing

When you generate a document, we send your selected profile information and the relevant job advert to a third-party large language model via the Lovable AI Gateway — currently models from Google (Gemini) and OpenAI (GPT). Providers are contractually restricted under their enterprise terms from using your inputs or outputs to train their models.

This is not a "solely automated decision" under UK GDPR Art. 22. The AI produces a draft document that you review, edit, and choose whether to use. No decision with legal or similarly significant effect is taken automatically about you. You remain in control of every application you submit.

Generated documents are stored in your account so you can revisit and edit them. You can delete any generated document at any time.

6. Job catalogue source

Job adverts shown in the Service are collected from publicly available sources, including NHS Jobs, Find a Job (DWP), MyJobScotland, JobsGoPublic, university and council career sites, named employer career pages, and the Adzuna API. We do not collect personal data about the people who posted those adverts beyond what is published in the advert itself.

7. Sub-processors

We share personal data only with the following processors, each engaged under a written data-processing agreement:

ProcessorPurposeRegion
Supabase (via Lovable Cloud)Database, authentication, file storageEU (Frankfurt)
CloudflareApplication hosting, edge delivery, DDoS protectionGlobal edge; primary EU
StripePayment processing and subscription managementEU / US (SCCs + UK Addendum)
Lovable AI GatewayRouting AI requests to model providersEU / US (SCCs + UK Addendum)
Google (Gemini)AI document generationUS (SCCs + UK Addendum)
OpenAIAI document generationUS (SCCs + UK Addendum)
AdzunaJob advert source (no user data sent)UK
FirecrawlCrawling public job pages (no user data sent)US (SCCs + UK Addendum)
Lovable / MailgunDelivery of account, billing, and support emailsUS (SCCs + UK Addendum)

We do not sell your personal data and we do not share it with advertising networks or data brokers. We may disclose data if required by law, court order, or to establish, exercise, or defend legal claims.

8. International transfers

Our primary database is hosted in the EU (Frankfurt). Some of the processors listed above are based outside the UK/EEA (notably in the United States). Where personal data is transferred internationally, we rely on UK-approved safeguards:

  • UK International Data Transfer Agreement (IDTA); or
  • UK Addendum to the EU Standard Contractual Clauses (SCCs); or
  • A UK adequacy decision where one applies.

For more information on UK transfer safeguards, see the ICO international transfers guidance.

9. Data retention

Data categoryRetention period
Account and profile dataLife of account, then deleted within 30 days
Saved jobs, applications, generated documentsLife of account; deletable at any time
Analytics eventsRolling 13 months
Rate-limit / abuse logs7 days
Transactional email send log90 days
Billing records (invoices, Stripe IDs)6 years (UK tax law)
Email suppression list (unsubscribes, bounces)Indefinite (to honour your opt-out)
Encrypted database backupsUp to 30 days after deletion
Support correspondence24 months from last reply

On account deletion, the account settings wipe all user-owned rows (profile, work experience, qualifications, certificates, personal statement, career preferences, saved jobs, applications, generated documents, AI usage, subscription record, role, and the auth identity) within seconds, except where we are legally required to retain billing records.

10. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you (Art. 15).
  • Rectification of inaccurate data (Art. 16).
  • Erasure ("right to be forgotten", Art. 17).
  • Restriction of processing (Art. 18).
  • Data portability in a machine-readable format (Art. 20).
  • Object to processing based on legitimate interests, including analytics (Art. 21).
  • Not be subject to a solely automated decision with legal or similarly significant effect (Art. 22). See section 5 — our AI is not such a process.
  • Withdraw consent at any time where consent is the basis.

You can rectify your profile and delete your account directly from account settings. For any other request, email privacy@publicsectorsponsorship.co.uk. We will respond within one calendar month, as required by UK GDPR Art. 12(3); we may extend this by up to two further months for complex requests and will tell you if we need to.

11. Security

We apply technical and organisational measures appropriate to the risk, including:

  • TLS 1.2+ encryption for all data in transit.
  • AES-256 encryption at rest for the database and backups.
  • Passwords stored as bcrypt hashes — never in plain text.
  • Row-Level Security (RLS) on every user table, scoped to your authenticated identity, so other users cannot read or modify your data.
  • Role-based access for administrative functions, checked server-side.
  • API keys and webhook secrets stored in a managed secret vault.
  • HMAC signature verification on incoming payment webhooks.
  • Rate limiting on sensitive endpoints (account deletion, AI generation, auth).
  • Server-side input validation on all user submissions.

No system is ever 100% secure. Please use a strong, unique password and notify us immediately at privacy@publicsectorsponsorship.co.uk of any suspected unauthorised access to your account.

12. Data breach notification

If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the UK Information Commissioner's Office within 72 hours of becoming aware of it, as required by UK GDPR Art. 33. Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay (Art. 34).

13. Cookies

We use a small number of cookies and similar identifiers:

Strictly necessary

NamePurposeDuration
sb-*-auth-tokenKeeps you signed inUp to 1 year (refreshed)
cookie-consentRemembers your cookie choice1 year

These cookies are required for the Service to function and cannot be disabled.

Analytics (first-party, aggregated)

We record privacy-friendly page-view events in our own database (no third-party analytics cookie). Records include URL path, referrer, session ID, and timestamp. They are aggregated and not used for advertising or cross-site tracking.

Functional

Small preferences (e.g. theme, dismissed banners) stored in your browser's local storage. Clearing browser storage will reset them; the Service will still work.

We do not use advertising cookies, third-party tracking pixels, social-media tracking, or device-fingerprinting.

14. Children

The Service is not directed at children. In line with UK GDPR Art. 8 (as implemented in the Data Protection Act 2018), the minimum age to create an account is 13. We do not knowingly collect data from children under 13. If you believe a child under 13 has provided us with data, contact privacy@publicsectorsponsorship.co.uk and we will delete it promptly.

15. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top shows the latest revision. For material changes that affect how we process your personal data, we will give at least 14 days' notice by email and/or a prominent in-app notice before the changes take effect.

16. Complaints

If you are unhappy with how we have handled your personal data, please contact us first at privacy@publicsectorsponsorship.co.uk so we can try to resolve it.

You also have the right to lodge a complaint with the UK Information Commissioner's Office at ico.org.uk. If you are based in the EEA, you may instead complain to your local data protection authority — see the EDPB members list.

17. Contact

Data-protection requests: privacy@publicsectorsponsorship.co.uk
General questions: contact page.