Privacy Policy

Effective date: 4 July 2025

1. Introduction & Overview

Welcome to Find A Start Ltd (“Find A Start”, “we”, “us”, “our”). Protecting the personal data you share with us is at the core of our business and essential to the trust you place in our platform. This Privacy Policy explains, in clear terms, how and why we collect, use, store and share information when you:

• visit or interact with our website at findastart.co.uk (the “Site”);
• download, install or use any version of our mobile application (the “App”); or
• otherwise access, purchase or use any of our workforce-management and recruitment services (collectively, the “Services”).

1.1 Purpose of this Policy
This document is designed to give you transparent information about:

1. What personal data we collect or create;
2. Why we process it and the lawful bases we rely on;
3. How we use it and for how long we keep it;
4. With whom we share it and how we safeguard international transfers; and
5. Your rights in relation to that data and how you can exercise them.

1.2 Controller vs. Processor
For most processing activities, Find A Start Ltd acts as the data controller—we determine the purposes and means of processing. In limited situations, for example where we merely host data strictly on the documented instructions of a Contractor, we act as a processor under a written data-processing agreement.

1.3 Relationship with Other Terms
This Privacy Policy forms part of, and should be read in conjunction with, our Terms of Service. If a provision in this Policy conflicts with the Terms of Service, the clause providing the higher standard of data protection will prevail.

1.4 Legal Framework
We process personal data in accordance with:

• the UK General Data Protection Regulation (“UK GDPR”);
• the Data Protection Act 2018;
• the Privacy and Electronic Communications Regulations (“PECR”); and
• any other UK laws or regulatory guidance that apply to the processing of personal data.

1.5 Future Updates
We may update this Policy from time to time to reflect changes in law, technology or our business operations. Where any change is material, we will give you at least 14 days’ prior notice via e-mail and a prominent notice on the Site and/or in the App. Continued use of the Services after the effective date constitutes acceptance of the revised Policy.

If you have questions about this Policy or how we handle personal data, please contact us using the details in Section 2 (Who We Are).

2. Who We Are (Data Controller)

Find A Start Ltd (“Find A Start”, “we”, “us”, “our”) is the organisation that decides how and why your personal data is processed when you use our Services.

Legal entity: Find A Start Ltd
Companies House No.: 14806770 (England & Wales)
Registered office: Hunters Moon, Chiddingly Road, Horam, Heathfield, East Sussex, TN21 0JJ, United Kingdom
Primary privacy contact: info@findastart.co.uk

2.1 Privacy Governance

Data-controller role – For nearly all processing activities we determine the purposes and means of processing and therefore act as a data controller under the UK GDPR. Where we process personal data strictly on the documented instructions of a Contractor (for example, hosting applicant data on their behalf), we act as a data processor and will enter into a UK-GDPR-compliant data-processing agreement.

Privacy Lead – Although we are not legally required to appoint a statutory Data Protection Officer under Article 37 UK GDPR, we have designated a senior Privacy Lead who:

monitors internal compliance;
advises on data-protection obligations; and
serves as primary liaison with supervisory authorities and data subjects.

Lead supervisory authority – Our lead authority is the UK Information Commissioner’s Office (ICO). You may lodge a complaint with the ICO if you believe we have processed your data unlawfully.

2.2 Representative in the European Economic Area (EEA)

We do not currently target or monitor individuals in the EEA within the meaning of Article 3(2) EU GDPR; consequently, an Article 27 EU representative is not presently required. Hosting some data in EEA cloud regions (e.g., Ireland for resilience and backup) does not constitute an “establishment” or trigger Article 27 representation.

If we later begin to offer or market our Services specifically to, or deliberately monitor, EEA-based users—for example by enabling Contractors to post EU jobs or allowing Trade Users resident in the EU to sign up—we will appoint a duly authorised EU representative and update this Policy before such expansion.

2.3 How to Contact Us

E-mail: info@findastart.co.uk
Post: Privacy Lead, Find A Start Ltd, Hunters Moon, Chiddingly Road, Horam, Heathfield, East Sussex, TN21 0JJ, United Kingdom

We acknowledge privacy-related correspondence within 48 hours and aim to provide a full response within one calendar month, in line with Article 12 UK GDPR.

3. Scope of this Policy

This Privacy Policy explains how Find A Start Ltd (“Find A Start”, “we”, “us”, “our”) collects, uses, shares and otherwise processes personal data in connection with:

Website – your visit to, or interaction with, findastart.co.uk and any sub-domains we operate;
Mobile application(s) – your download, installation or use of our iOS/Android App, including any successor, white-label or companion apps;
Communication channels – e-mail, in-App messaging, live-chat, telephone, social-media pages or any other channel we control when used to deliver or support the Services;
APIs, webhooks and integrations – connections we make available to Contractors or authorised third-party software so they can interface with our platform;
All online services and tools we operate now or in the future under the Find A Start brand, unless a separate privacy notice is presented.

For definitions of “Contractor”, “Trade User” and other key terms, see Section 4 – Key Terms.

3.1 What Is Not Covered

This Policy does not apply to:

Contractors or Trade Users acting as independent controllers. For example, when a Contractor downloads a Trade User’s CV and stores it in the Contractor’s own HR or payroll system, the Contractor – not Find A Start – becomes solely responsible for that data under the UK GDPR (and, where applicable, the EU GDPR);
Third-party websites, services or mobile applications that are linked from our Site or App but are not controlled by us. Their own privacy notices govern the data they collect, and we disclaim liability for their practices;
Aggregated, anonymised or de-identified information that can no longer reasonably be used to identify an individual. We may use such data for analytics, optimisation and business insight without further notice;
Offline interactions that do not involve our IT systems – for instance, paper forms or face-to-face meetings conducted entirely by a Contractor;
Processing that falls outside the territorial scope of the UK GDPR. If and when we actively target individuals in the EEA, we will appoint an Article 27 EU representative and update this Policy in accordance with Section 18 – Changes to This Privacy Policy.

By accessing or using any of the Services described above, you acknowledge that your personal data will be processed in accordance with this Privacy Policy and applicable data-protection laws. If you do not agree with the terms, please refrain from using the Services.

This clarification limits Find A Start’s liability for data processed outside our ecosystem, aligns terminology with Section 4, and signposts future EEA obligations – strengthening legal protection while maintaining transparency for users.

4. Key Terms

The following defined terms are used throughout this Privacy Policy to ensure clarity and legal precision:

Term	Meaning
Personal data	Any information relating to an identified or identifiable natural person (Article 4(1) UK GDPR).
Processing	Any operation or set of operations performed on personal data (including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, restriction, erasure or destruction).
Data controller	The natural or legal person that determines the purposes and means of the processing of personal data—Find A Start Ltd acts as the data controller for most processing described in this Policy.
Data processor	A natural or legal person that processes personal data on behalf of a controller (e.g., AWS, Cloudflare, Sentry).
Trade User	An individual blue-collar trade professional or job-seeker who registers on the Platform to view or apply for vacancies.
Contractor	A company or hirer that posts job vacancies on the Platform and reviews applicant information.
Site	Our public website located at findastart.co.uk and any sub-domains we operate.
App	Any mobile application published by Find A Start Ltd that provides access to the Services.
Services	The recruitment-and-workforce-management marketplace, including the Site, App, APIs, and related support, operated by Find A Start Ltd.
UK GDPR	The UK General Data Protection Regulation as incorporated into UK law by the European Union (Withdrawal) Act 2018.
ICO	The UK Information Commissioner’s Office—the independent supervisory authority overseeing data-protection legislation in the United Kingdom.
Legitimate interests	A lawful basis under Article 6(1)(f) UK GDPR that permits processing where necessary for the controller’s or a third party’s legitimate purposes, provided such interests are not overridden by the individual’s rights and freedoms.
AI Summary	A concise, machine-generated synopsis of a job posting produced solely for user convenience; it does not constitute automated decision-making under Article 22 UK GDPR.

5. What Personal Data We Collect

We follow the data-minimisation principle and request only what is necessary for each purpose.

Category	Examples	Source	Mandatory?
Registration Data	Name, e-mail address, postcode, chosen trade/occupation, encrypted password	Provided by you	Yes – required to create an account
Profile & Job-Related Data (future optional)	CV or résumé, profile photo, trade certifications (e.g., CSCS card), right-to-work documents, licences	Provided by you	Optional – you decide whether to add these items
Application Data	Cover-letter text, answers to screening questions, availability dates	Provided by you at time of application	Optional but may affect application completeness
Usage & Technical Data	IP address, log files, device type, OS, App version, feature usage, crash reports	Collected automatically via Sentry SDK & our servers	No – data is pseudonymised and aggregated
Security & Authentication Data	Session tokens, MFA status, login timestamps, failed-login counters	Generated by our auth systems	Yes – essential for platform security
Marketing Preferences	In-App notification opt-in/out, preferred trade categories for job alerts	Provided/updated by you	No
Support & Feedback Data	Help-desk messages, feedback forms, survey responses	Provided by you	No

Special-category data. We do not request or intentionally process special-category data (health, biometrics, trade-union membership, etc.) or criminal-record data.

Financial data. We do not collect bank-account or card details; any payments occur offline between Contractors and Trade Users.

Acceptance records. We keep a timestamped log of when you accepted our Terms of Service and this Privacy Policy to demonstrate compliance.

6. Legal Bases for Processing

Find A Start Ltd processes personal data only where we have at least one lawful basis under Article 6 UK GDPR. The table below shows the main purposes for which we use your data and the corresponding legal bases.

Purpose of processing	Principal lawful basis	Notes & safeguards
Account creation, authentication and ongoing platform access	Contract – Art 6 (1)(b)	Processing is necessary to perform the Terms of Service you enter into when you register.
Enabling job-application workflows and communications between Trade Users and Contractors	Contract – Art 6 (1)(b)	Includes transmitting application details you choose to share.
Platform operation, security, error/crash logging, fraud-prevention, service analytics, and business-continuity backups	Legitimate interests – Art 6 (1)(f)	We have conducted a Legitimate Interests Assessment (LIA) to ensure these activities are necessary and proportionate. Data are pseudonymised where possible, access-controlled, and retained for limited periods. A summary of the LIA is available on request.
In-App job alerts, feature updates, or other direct marketing	Consent – Art 6 (1)(a)	You choose whether to receive these messages via the notification toggle in your account settings. You can withdraw consent at any time.
Storing optional profile data (e.g., future CV uploads, trade certificates) and sending such data to Contractors on your instruction	Consent – Art 6 (1)(a)	Uploading these items is voluntary. You may delete them at any time in your profile.
Compliance with legal obligations (e.g., tax or accounting rules, responding to lawful requests from authorities)	Legal obligation – Art 6 (1)(c)	We retain only the data required and disclose information strictly within the scope of the request.
Protection of vital interests in rare emergencies (e.g., preventing serious harm or security incidents)	Vital interests – Art 6 (1)(d)	Used only where life or physical safety is at stake and no other basis is workable in time.

6.1 Special- and Criminal-Category Contingency

We do not intentionally process special-category data (e.g., health, biometrics, trade-union membership) or criminal-record data at present. If a future feature—such as right-to-work or CSCS-card verification—requires us to collect or view such information, we will first:

Conduct a Data Protection Impact Assessment (DPIA);
Identify and document a valid Article 9 or Article 10 lawful condition, plus a supporting Schedule 1 policy document under the Data Protection Act 2018;
Update this Privacy Policy and our sub-processor inventory; and
Provide at least 14 days’ advance notice by e-mail and in-App banner (see Section 18).

Until those steps are completed—and the updated Policy takes effect—we will neither request nor store special-category or criminal-record data.

7. How We Use Personal Data

We use personal data only for the purposes set out below and only where we have a valid lawful basis (see Section 6). Where the same activity could fall under more than one lawful basis, we rely on the basis that affords the greatest protection to you and the most robust compliance posture for Find A Start Ltd.

#	Purpose	Description	Principal Lawful Basis
1	Account setup & authentication	Creating and managing user profiles, verifying credentials, logging sign-in activity, enforcing password hygiene.	Contract (Art. 6(1)(b))
2	Provision of marketplace services	Matching Trade Users with relevant job postings, enabling applications, transmitting messages and attachments between Trade Users and Contractors.	Contract
3	Display of applicant information to Contractors	Showing only those data elements a Trade User elects to include in an application or profile.	Contract
4	Service communications	Sending transactional notifications such as application status updates, system alerts, and in-App job alerts you have opted into.	Legitimate interests / Contract
5	AI-generated job summaries	Producing concise, human-readable overviews of lengthy job descriptions to improve usability. No automated decision-making with legal or similarly significant effects.	Legitimate interests
6	Platform analytics & improvement	Collecting pseudonymised crash reports and aggregated usage metrics via Sentry to diagnose bugs, measure performance and improve features.	Legitimate interests
7	Security & fraud prevention	Monitoring for suspicious log-ins, enforcing MFA, maintaining audit trails, and investigating abuse.	Legitimate interests / Legal obligation
8	Back-ups & business continuity	Maintaining encrypted back-ups in UK and US data centres, disaster-recovery failover, and data-integrity checks.	Legitimate interests / Legal obligation
9	Marketing (optional)	Sending newsletters, promotions or surveys only where you have given clear opt-in consent. You can withdraw consent at any time.	Consent (Art. 6(1)(a))
10	Legal & regulatory compliance	Retaining records required by HMRC, responding to lawful requests from regulators, courts or law-enforcement.	Legal obligation (Art. 6(1)(c))
11	Enforcing our rights	Investigating and defending legal claims, pursuing debt-collection, enforcing the Terms of Service.	Legitimate interests / Legal obligation

We do not engage in automated decision-making that produces legal or similarly significant effects on individuals (Art. 22 UK GDPR). All candidate ranking, short-listing and hiring decisions are made by human Contractors.

We do not use personal data for any purpose that is incompatible with the purposes described above without first informing you and, where required, obtaining your consent.

8. Sharing & Disclosure

Find A Start Ltd does not sell or rent personal data. We disclose information only in the limited circumstances set out below and always under appropriate safeguards.

Recipient / Category	Purpose of Disclosure	Safeguards & Lawful Basis*
Counterparties inside the platform • Contractors see the application details that a Trade User chooses to submit. • Trade Users see the vacancy details that a Contractor posts.	To facilitate recruitment workflows, interviews, offers and onboarding.	Contract (Art 6 (1)(b)) – required to deliver the services requested by both parties. Each party becomes an independent data controller for any information it downloads or processes outside the platform.
Service providers (processors) • Amazon Web Services (AWS) – hosting, authentication, encrypted storage (UK/EU/US). • Cloudflare – edge security, DDoS protection, global CDN (UK/US). • Sentry – crash-analytics logging (EU).	To operate, secure and maintain the Site and App.	Written data-processing agreements incorporating UK International Data-Transfer Addendum (IDTA) or Standard Contractual Clauses (SCCs) where applicable; data encrypted in transit (TLS 1.2+) and at rest (AES-256).
Professional advisers Lawyers, auditors, insurers and accountants.	Corporate governance, legal advice, audits, insurance cover.	Legitimate interests (Art 6 (1)(f)) – advisers are bound by professional secrecy and written confidentiality agreements.
Corporate events Merger, acquisition, restructuring or sale of assets.	Business continuity and completion of the transaction.	Any successor entity will be bound by this Policy or an equivalent that offers no lesser protection.
Legal, regulatory & safety Courts, regulators, law-enforcement agencies.	To comply with a legal obligation or to protect the rights, property or safety of Find A Start, our users or the public.	Legal obligation (Art 6 (1)(c)) or, where necessary, vital interests (Art 6 (1)(d)). We scrutinise each request and disclose only what is strictly required.
Aggregated / anonymised data	Platform analytics, industry reports, service optimisation.	Data are irreversibly de-identified so no individual is identifiable.
Disclosures with your consent	Any additional sharing you expressly authorise (e.g., exporting your profile to a third-party CV service).	Consent (Art 6 (1)(a)) – you may withdraw consent at any time.

* The UK GDPR lawful basis shown is the primary ground; some disclosures may rely on more than one basis depending on context.

International transfers. Where a disclosure involves a recipient outside the UK, the safeguards in Section 9 apply.

No hidden recipients. Apart from the categories listed above, we share data with no one else. Should we engage additional processors in the future, we will update this list in the Policy before any new processing begins and, where required, provide advance notice under Section 18.

9. International Data Transfers

While Find A Start Ltd hosts the majority of personal data in the United Kingdom, certain processing operations require limited cross-border transfers—principally to the United States and the European Economic Area (EEA). We take great care to ensure that any data leaving the UK continues to benefit from a level of protection that is essentially equivalent to UK standards.

9.1 Where We Transfer Data

Destination	Typical Recipient / Service	Why the Transfer Occurs
United States	Amazon Web Services (US regions), Cloudflare edge nodes, encrypted back-up storage	High-availability hosting, content delivery, disaster-recovery back-ups
European Economic Area	AWS (Ireland), Sentry error-logging (EU), Cloudflare EU PoPs	Redundancy, performance optimisation, EU-based analytics environment

9.2 Transfer Safeguards

When a transfer falls outside the scope of a UK adequacy regulation (e.g., to the United States), we rely on one or more of the following mechanisms:

UK International Data Transfer Addendum (IDTA) or the UK-approved Standard Contractual Clauses (SCCs) executed with the non-UK recipient.
Binding corporate rules or equivalent intra-group arrangements (where applicable).
Technical and organisational measures such as end-to-end TLS (≥ v1.2), server-side encryption (AES-256), role-based access controls, and strict key-management procedures.
Pseudonymisation and data-minimisation to reduce risk in the event of unauthorised access.

We perform transfer-risk assessments (TRAs) as required by the ICO guidance to confirm that supplementary measures render the data sufficiently protected in the recipient jurisdiction.

9.3 How You Can Obtain Further Information

Copies of the IDTA, SCCs or other contractual safeguards we rely on are available upon request (subject to redaction for confidentiality). You may request these by contacting us at info@findastart.co.uk.

9.4 Future Changes

Should we add new non-UK service providers or relocate data processing to additional jurisdictions, we will update this section and provide at least 14 days’ advance notice of any material change, allowing you to object or exercise your rights if you wish.

10. Automated Decision-Making, AI & Profiling

Find A Start Ltd makes limited use of artificial-intelligence (AI) technologies and other automated processes. We do not engage in any solely automated decision-making that produces legal or similarly significant effects on individuals within the meaning of Article 22 UK GDPR.

10.1 Descriptive AI Summaries

We deploy a large-language-model (LLM) tool to generate a concise, plain-English synopsis of each job posting. This assists Trade Users in quickly determining whether a role merits further review.

Inputs: The full text of the job description provided by the Contractor.
Outputs: A short, human-readable summary surfaced at the top of the posting.
Safeguards: The original job description remains fully accessable; no candidate or personal data is used as input.

10.2 No Candidate Profiling or Auto-Rejection

We do not auto-rank, score or reject applicants.
Contractors receive applications in the order submitted and perform all short-listing actions manually.
No credit-scoring, psychometric, or behavioural-prediction algorithms are applied to Trade Users’ data.

10.3 Additional Automated Processes (Non-decisional)

Process	Description	Safeguards
Security event detection	Automated alerts trigger when abnormal login patterns or potential credential-stuffing attacks are detected.	Alerts are reviewed by security staff; no adverse action is taken without human verification.
Spam & malware scanning	Attachments and in-App messages are screened for viruses and phishing links.	Legitimate content is never blocked without manual confirmation.
Crash analytics	Sentry SDK aggregates error logs to identify code defects.	Data is pseudonymised and used only for debugging.

These processes involve limited automated analysis but do not make decisions that affect user rights or opportunities.

10.4 Human Oversight & Explanation

If we ever introduce functionality that materially relies on algorithmic decisions, we will:

Conduct a Data-Protection Impact Assessment (DPIA);
Implement meaningful human review prior to any decision; and
Provide users with a clear explanation of the logic involved, the significance, and the envisaged consequences, as required by UK GDPR.

10.5 Your Rights Under Article 22

object to processing based solely on automated decision-making,
request human intervention,
express your point of view, and
contest any automated decision.

You may exercise these rights by contacting us at info@findastart.co.uk. We will respond within one month.

11. Cookies & Similar Technologies

Cookies, SDKs and similar tracking technologies help us operate and improve the Services. Because we are a UK-based organisation, our use of cookies must comply with the Privacy and Electronic Communications Regulations (PECR) as well as the UK GDPR.

11.1 Current Position (No Non-Essential Cookies)

Site: We presently set only strictly-necessary cookies that enable core functionality such as load-balancing and security. These cookies do not require consent under PECR.
App: The mobile App embeds the Sentry SDK to capture crash events and aggregated usage metrics. Data collected is pseudonymised and used solely for debugging and service-improvement purposes. No marketing or ad-tech SDKs are implemented.

11.2 Types of Technologies We May Deploy

Category	Purpose	Consent Required?
Strictly-necessary	To deliver pages, maintain session state, perform load-balancing and ensure security (e.g., Cloudflare cookies).	No – essential for the requested service.
Performance / Analytics	To measure usage and improve features (e.g., page-load times, crash frequency).	Yes – if we introduce analytics beyond pseudonymised, first-party statistics.
Functionality	To remember user preferences (e.g., language, trade filter, notification toggle).	Yes – unless the preference cookie is explicitly requested by the user.
Advertising / Targeting	To deliver personalised job ads or third-party promotions.	Yes – prior opt-in consent is mandatory under PECR.

11.3 Consent Management & User Controls

Implement a GDPR-compliant Consent Management Platform (CMP) that presents a clear, granular choice on first visit.
Honour the soft opt-in / opt-out standard for analytics cookies recommended by the ICO, and block deployment until consent is obtained.
Provide a persistent cookie-settings panel in the Site footer and the App settings, allowing you to change or withdraw consent at any time.
Respect Do Not Track (DNT) and Global Privacy Control (GPC) signals where technically feasible.

11.4 Retention & Expiry

Session cookies expire when you close your browser.
Persistent cookies will be set for a maximum of 12 months, after which they will automatically lapse unless you renew consent.
SDK diagnostic events are retained in Sentry for 90 days before automatic deletion.

11.5 Browser & Device Settings

View the cookies stored on your device;
Delete all or selected cookies;
Block third-party cookies or all cookies;
Enable tracking-protection modes.

Please note that blocking strictly-necessary cookies may impair the functionality of the Services.

11.6 Future Updates

Update this Section 11 to describe the new technologies;
Provide at least 14 days’ prior notice via e-mail and in-App banner; and
Seek your consent where required before setting any non-essential cookies.

12. Mobile-App Permissions & Tracking

The mobile App requests only those device permissions that are strictly necessary to deliver core functionality or optional features you actively choose to use. We follow the principle of data minimisation and never enable tracking hardware (e.g., GPS, camera, microphone) without your explicit, contextual permission.

12.1 Standard (Essential) Permissions

Permission	Why We Request It	When Requested	Opt-Out / Control
Internet / Network access	To communicate with our servers and deliver content.	On first launch.	Disable mobile data or Wi-Fi in device settings (App will not function).
Push notifications	To send real-time updates (e.g., application status, new job alerts you subscribed to).	At sign-up or first use of notifications.	Toggle off in App Settings → Notifications or via device OS settings.

12.2 Optional (User-Initiated) Permissions

Permission	Purpose	When Prompted	Lawful Basis & Safeguards
Camera / Photo Library	To allow you to upload an optional profile photo or trade-certificate image.	Only when you tap "Upload Photo/Document".	Consent – image processed locally until uploaded; no continuous access.
File Storage / Media	To attach a CV or other document to an application.	When you select "Attach File".	Consent – single-instance picker; no background file scanning.
Location (coarse or fine GPS)	Currently not used. If introduced (e.g., for site-check-in), we will obtain separate opt-in consent and explain the specific purpose.	N/A (disabled by default).	Will rely on Consent; no background tracking; visible indicator in status bar.
Microphone	Not used. We do not record audio.	N/A	N/A

12.3 Tracking & Analytics SDKs

The only third-party SDK embedded in the App is Sentry for crash diagnostics. Data sent to Sentry is pseudonymised and stripped of personal identifiers.
We do not embed ad-tech, cross-app tracking, or fingerprinting SDKs.
Advertising shown in the App (e.g., trade tools) is purely contextual based on the trade you selected during registration; no behavioural tracking occurs.

12.4 How to Manage Permissions

In-App controls: Navigate to Settings → Privacy & Permissions to revoke camera, storage or location access at any time.
OS controls: Use the native Android or iOS privacy dashboard to review and change App permissions.
Revoking a permission disables the related feature but will not affect other parts of the App.

12.5 Future Permission Changes

If we introduce new permission-dependent features (e.g., geofenced check-ins), we will:

Update this Section 12 with full details;
Ask for opt-in consent the first time the feature is used;
Provide at least 14 days’ prior notice for material changes via e-mail and an in-App banner.

13. Data Security Measures

Protecting personal data is fundamental to our service. Find A Start Ltd operates a defence-in-depth security programme aligned with ISO 27001, NCSC Cyber Essentials, and the UK GDPR “security of processing” requirements (Art 32).

13.1 Technical Controls

Encryption – All traffic is protected by TLS 1.2/1.3; data-at-rest uses AES-256 with keys managed by AWS KMS.
Network security – Zero-trust segmentation, WAF, DDoS mitigation and real-time threat-intelligence blocking via Cloudflare.
Access management – Role-based access control (RBAC) enforced through AWS IAM/SSO; least-privilege reviews every quarter.
Authentication – User passwords are salted & hashed with bcrypt; staff and admin accounts must use multi-factor authentication (MFA).
Monitoring & logging – Centralised logs feed a SIEM with 90-day retention and automated anomaly alerts.
Endpoint security – Company devices employ full-disk encryption, EDR/AV and automated patching.

13.2 Organisational Controls

Secure Development Lifecycle (SDLC) – Peer review, automated secret scanning, vulnerability checks and CI/CD with environment segregation.
Third-party risk management – Processors undergo due-diligence, sign UK GDPR-compliant DPAs (IDTA/SCCs where relevant) and provide SOC 2 / ISO 27001 reports.
Staff training & confidentiality – Annual GDPR / security training; NDAs precede production access.
Change management – Material infrastructure or vendor changes require senior security sign-off and prompt updates to the sub-processor log (Section 8).

13.3 Testing & Assurance

Control	Cadence	Remediation Target
Automated vulnerability scans	Daily	Critical findings ≤ 7 days
External penetration tests	Annual	Critical findings ≤ 30 days

13.4 Business Continuity & Resilience

Encrypted backups replicated across UK & US regions (durability ≥ 11 nines); quarterly restore tests.
Disaster-Recovery Plan targeting ≤ 4 h RTO and ≤ 1 h RPO.

13.5 Incident Response & Breach Notification

Contain & investigate without undue delay.
Risk-assess impact on individuals.
Regulator notice – Notify the UK ICO within 72 hours of becoming aware of a notifiable breach.
User notice – Where the breach is likely to result in a high risk to individuals’ rights and freedoms (Art 34 UK GDPR), notify affected users without undue delay, including:
- nature of breach, contact point, likely consequences, and remediation measures.
Exemptions – User notice may be waived if:
- data were rendered unintelligible (e.g., robust encryption);
- subsequent measures eliminate the high risk; or
- individual notice would involve disproportionate effort, in which case a public communication will be issued.
Post-mortem & mitigation – Root-cause analysis, lessons-learned review and control improvements are documented and tracked to closure.

13.6 Your Responsibilities

Keep your credentials confidential and use a strong, unique password;
Enable MFA where offered;
Promptly inform us of any suspected unauthorised account activity.

13.7 Force Majeure

Find A Start Ltd shall not be liable for any delay, failure of performance, security incident or data-loss event that results directly or indirectly from causes beyond our reasonable control, including but not limited to: acts of God, natural disasters, war, terrorism, civil unrest, strikes, lock-outs, government action, failure of the public Internet or telecommunications networks, widespread power outages, or third-party hosting-provider disruptions that could not reasonably have been prevented with industry-standard safeguards.

During a force-majeure event we will use commercially reasonable efforts to mitigate impact, restore services and protect personal data. The obligations affected by the event shall be suspended for the duration of the force-majeure circumstance and resume once the event ends.

While no system can guarantee absolute security, these layered measures—combined with the above force-majeure provision—aim to keep residual risk proportionate to the nature and volume of data we process, thereby protecting both our users and Find A Start Ltd.

14. Data Retention & Deletion

We keep personal data only for as long as necessary to fulfil the purposes outlined in this Policy, comply with legal obligations and defend our legal rights. We determine retention periods using the storage-limitation principle of UK GDPR Article 5(1)(e) and the following criteria:

statutory and regulatory requirements (e.g., HMRC, Limitation Act 1980);
the nature and sensitivity of the data;
the potential risk of harm from unauthorised use or disclosure; and
business needs for archiving, security and fraud-prevention.

14.1 Master Retention Schedule

Data Category	Typical Contents	Retention Period	Rationale
Active accounts & profile data	Registration details, preferences, profile uploads	Retained indefinitely while the account is active	Ongoing contractual service provision
Inactive accounts	Same as above	Soft deletion after 24 months of inactivity; hard deletion or anonymisation after an additional 3 months grace period	User convenience vs. data-minimisation balance
Job applications & postings	CVs, cover letters, posting details, application metadata	6 years from closure	Limitation Act 1980 (contract claims) and potential employment-law claims
Support tickets & chat logs	User enquiries, bug reports, feedback	3 years from resolution	ICO guidance on “likely queries” + dispute window
Security & audit logs	Login attempts, token use, admin actions	12 months	Insider-threat monitoring and forensic investigations
System back-ups	Encrypted snapshots of production databases	Up to 30 days before automatic overwrite	DR resilience while limiting exposure
Financial & accounting records	VAT invoices, transactional logs where applicable	6 years + current tax year	HMRC record-keeping requirement
Aggregated / anonymised statistics	Site usage metrics devoid of identifiers	Retained indefinitely	Falls outside UK GDPR once irreversibly anonymised

Marketing data. E-mail addresses retained for marketing are stored until you opt out or withdraw consent, after which they are added to a suppression list to prevent further contact.

14.2 Deletion, Anonymisation & Archiving

User-initiated deletions: When you delete your account (or exercise the right to erasure), we erase or anonymise personal data within 30 days, unless retention is required by law (e.g., accounting records) or necessary to resolve ongoing disputes.
Soft deletion: Data marked for soft deletion is immediately removed from production views but remains in restricted-access archives until the applicable retention period expires.
Back-ups: Deletion requests propagate to encrypted back-ups; data will be purged automatically when the back-up reaches end-of-life (≤ 30 days).
Anonymisation: Where feasible, we anonymise data so that it can no longer be linked to an individual, allowing us to retain business analytics without personal identifiers.

14.3 Record of Processing & Reviews

We maintain an internal Record of Processing Activities (RoPA) that documents retention triggers and review dates. Retention periods are re-evaluated at least annually to ensure ongoing compliance.

15. Your Rights

Under the UK GDPR and the Data Protection Act 2018, you have a number of legal rights in relation to the personal data we hold about you. These rights are not absolute and may be subject to statutory exemptions, but we will always honour them to the fullest extent required by law.

Right	What you can ask us to do	Typical limitations / exemptions
Access	Confirm whether we process your personal data and receive a copy of it.	We may redact information that would reveal another individual’s data or our own trade secrets.
Rectification	Correct inaccurate or incomplete data.	We may need to verify the accuracy of the new information you provide.
Erasure (“Right to be forgotten”)	Delete personal data that is no longer necessary, where you withdraw consent, or where you have successfully objected.	We may keep data that we need for legal obligations or to establish, exercise or defend legal claims.
Restriction	Suspend our processing of your data—for example, while we verify accuracy or consider an objection.	During restriction we may still store the data but not otherwise use it.
Portability	Receive personal data you provided to us in a structured, commonly-used, machine-readable format and (where technically feasible) have it sent to another controller.	Applies only to data processed by automated means on the basis of consent or contract.
Objection	Object to processing based on legitimate interests (Article 6 (1)(f)) or to direct marketing.	We will stop unless we demonstrate compelling legitimate grounds that override your interests, or the processing is required for legal claims.
Withdraw consent	Withdraw any consent you have previously given at any time.	Withdrawal does not affect processing carried out before the withdrawal.
Automated decision-making	Request human intervention and challenge a decision made solely by automated means that produces legal or similarly significant effects.	Not applicable at present because we do not make such decisions (see Section 10).
Complain to the ICO	Lodge a complaint with the UK Information Commissioner’s Office if you believe your data has been processed unlawfully.	You may contact the ICO at any time (see Section 20).

15.1 How to exercise your rights
Submit your request – e-mail info@findastart.co.uk with the subject line “Data Rights Request” (or write to the postal address in Section 19).
Identity verification – To protect your data we may ask for proof of identity (e.g., a copy of your driving licence) or for information that matches your account details.
Response time – We aim to respond within one calendar month. Complex or multiple requests may extend this by up to two additional months; we will tell you if an extension is needed and why.
Fees – Requests are processed free of charge unless they are manifestly unfounded, repetitive or excessive, in which case we may charge a reasonable administrative fee or refuse to act.
Format of response – Where you request a copy of your data, it will be provided electronically (e.g., CSV or JSON) unless you request otherwise.

If you remain dissatisfied after we have responded, you may escalate the matter to the UK Information Commissioner’s Office (see Section 20).

16. Children & Young Workers

16.1 Minimum age

Our platform is strictly limited to users aged 18 or over.
Construction roles advertised on the Site/App generally require adult legal capacity and right-to-work checks that cannot be satisfied by minors.

16.2 Age declaration at sign-up

Every user must tick a box confirming they are 18 + and agree to the Terms of Service.
Creates an auditable record that we relied on the user’s representation in good faith (Recital 38 UK GDPR).

16.3 No active age-verification

We do not employ additional age-verification technology (e.g., ID scanning).
Proportionate to the residual risk because we do not offer content or services subject to mandatory age-gating under the UK Online Safety Act or Age-Appropriate Design Code.

16.4 Accidental collection

If we discover that someone under 18 has opened an account or submitted data, we will suspend the account and erase the data without undue delay and, where feasible, notify a parent/guardian.
Meets the UK GDPR duty to make reasonable efforts to verify age and to delete unlawfully collected data.

16.5 Future apprenticeship exceptions

Should we launch a government-approved apprenticeship or traineeship programme that lawfully engages 16- or 17-year-olds, we will:
- create a dedicated, age-appropriate privacy notice;
- obtain verifiable parental consent; and
- register any significant changes with the ICO if required.
Future-proofs the policy while avoiding implied permission today.

16.6 Parental / guardian requests

Parents or legal guardians who believe we hold data about a child may contact privacy@findastart.co.uk with proof of guardianship to request deletion.
Provides a clear remedy and reduces the risk of enforcement action.

16.7 Summary
We do not knowingly collect or process children’s data. Users must be 18 +; any under-age accounts or data are removed as soon as identified.

17. Third-Party Links & Integrations

Our Site and App may reference, embed or interoperate with services that are outside Find A Start’s direct control. The table below clarifies what that means for your privacy and helps shield us from liability for other parties’ conduct.

Scenario	What Happens	Your Responsibility / Our Disclaimer
External links (e.g., Contractor websites, training providers, tool suppliers)	Clicking a link leaves the Find A Start domain and opens a site we do not operate.	That site’s own privacy policy applies. We do not accept responsibility for, and make no representations about, their data-handling or content.
Embedded content (e.g., YouTube videos, map widgets)	Content may load directly from a third-party server, which can place cookies or collect usage data.	The provider’s cookie / privacy notice governs that collection. We recommend reviewing it before playing or interacting with embedded media.
Social-media share buttons or login options (future feature)	If you choose to use “Sign in with X” or share a vacancy on social media, the relevant platform receives information such as your IP address and the page you visit.	Use of those features is optional. Your relationship with the social-media platform is governed by its own terms and privacy policy.
In-App advertising & affiliate offers	Ads may be served by a vetted ad network based on trade category only (never by tracking cookies or precise location).	Interacting with an ad takes you to the advertiser’s site/app, where their policy applies.
Contractor-supplied application links (rare)	A Contractor may direct you to an external ATS or onboarding portal to complete your application.	The Contractor becomes the data controller for that portal. We advise reading their privacy notice before submitting further information.
Third-party APIs & plug-ins	We may integrate future services (e.g., address lookup, document signing). These providers act as our processors under written contracts and appear on our live sub-processor list (see Section 8).	Such integrations operate only within the Site/App environment and are covered by this Policy unless you are redirected off-site.

Important:

We share only the minimum data necessary to enable the chosen feature (typically a hashed identifier or trade category).
Your decision to engage with any external service is voluntary. If you do not wish a third party to collect information about you, do not click the link or use the integration.
We periodically review external links for legitimacy but cannot guarantee their ongoing security, legality or accuracy.

If you believe a linked or embedded third-party service compromises your privacy or security, please notify us at info@findastart.co.uk so we can investigate and, where appropriate, remove or replace the link.

18. Changes to This Privacy Policy

18.1 Why We May Change the Policy

We reserve the right to amend this Privacy Policy at any time to reflect:

changes in law or regulatory guidance (e.g. updates to UK GDPR, Data Protection Act 2018, PECR, ICO or NCSC best-practice notes);
new features, services or data-processing activities (including the introduction of cookies, SDKs or similar tracking technologies); or
organisational or operational adjustments within Find A Start Ltd.

18.2 How We Will Notify You

Update Type	Examples	Notice Period & Method
Material update	• Expands categories of personal data collected • Changes a lawful basis • Introduces non-essential cookies or SDKs • Alters user rights or our liability	≥ 14 days’ prior notice via: 1. E-mail to the address in your account; 2. Banner or pop-up in the App and on the Site; 3. If cookies are involved, a Cookie-Consent Management Platform (CMP) prompt seeking your fresh consent.
Minor or editorial update	Clarifications, typographical corrections, re-ordering sections without changing substance	Posted on the Site/App and effective immediately upon publication.

18.3 Effective Date & Version Control
The “Last updated” date at the top shows when the latest revision became effective.
We maintain an archive of previous versions for at least six years; you may request a copy by e-mailing info@findastart.co.uk.

18.4 Your Continued Use Constitutes Acceptance
By continuing to access or use the Site or App after the effective date of an updated Policy, you are deemed to have accepted the revised terms. If you disagree with any change, you must stop using our services and may request account deletion (see Section 14).

18.5 Keeping Your Contact Details Current
We rely on the e-mail address in your profile to deliver change notices. Please keep it up-to-date; Find A Start Ltd is not responsible for notices that fail because of an invalid or inactive address.

18.6 Questions About Updates
For any query regarding amendments to this Policy, contact our Privacy Lead at info@findastart.co.uk. We will acknowledge within five working days and respond within one calendar month.

19. Contact Us

Purpose	How to reach us	What to expect
General privacy queries, data-rights requests, withdrawal of consent	E-mail: info@findastart.co.uk	We acknowledge within 5 working days and provide a full reply—or next steps—within one calendar month (Article 12 UK GDPR).
Formal correspondence / complaints	Post (Recorded Delivery recommended): Privacy Lead – Find A Start Ltd Hunters Moon, Chiddingly Road Horam, Heathfield East Sussex, TN21 0JJ United Kingdom	Please include your name, contact details, and a clear description of the issue.
Supervisory-authority escalation	If you remain dissatisfied, you have the right to contact the UK Information Commissioner’s Office (ICO): Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF ☎ 0303 123 1113 ico.org.uk	We would appreciate the chance to resolve your concern first, but you may approach the ICO at any time.

Privacy Lead (non-statutory): Find A Start has appointed an internal Privacy Lead who monitors compliance, coordinates Data Protection Impact Assessments, and serves as the primary point of contact for the ICO. The Privacy Lead can be reached through the channels above.

Tip: To help us locate your account quickly, please include the e-mail address you used to register and “Data-Rights Request” (or similar) in the subject line of your message.

20. Complaints to the ICO

If you believe that Find A Start Ltd has processed your personal data in a manner that breaches the UK GDPR, the Data Protection Act 2018 or any other applicable legislation, you have the legal right to lodge a complaint with the UK Information Commissioner’s Office (ICO).

First, please give us a chance to help. We are committed to resolving privacy concerns quickly and fairly. You can raise any issue directly with our Privacy Lead using the contact details in Section 19. We will investigate and aim to provide a full response within one calendar month.

Contact details for the ICO

Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom
Telephone: +44 (0)303 123 1113
Website: www.ico.org.uk/make-a-complaint

You may contact the ICO at any time. However, the ICO generally encourages individuals to approach the organisation concerned first, as many issues can be resolved more swiftly and informally at source. Lodging a complaint with the ICO will not affect any other administrative or judicial remedies you may have.