Privacy Policy
Last updated: 25 February 2026
1. Who We Are
Sponsor Complians Hub is operated by Sponsor Complians Limited, a company registered in England and Wales. We provide a B2B SaaS platform helping UK employers manage their Home Office sponsor licence obligations.
Data Controller: Sponsor Complians Limited
Contact: [email protected]
Address: United Kingdom
This Privacy Policy explains how we collect, use, store, and protect personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Data We Collect
| Category | Data Types | Purpose |
|---|---|---|
| Account Data | Name, email address, organisation name, job role | Account creation and authentication |
| Billing Data | Payment method (via Stripe), billing address, invoice history | Processing subscriptions and deposits |
| Worker Records | Sponsored worker names, CoS references, visa expiry dates, right-to-work documents | Sponsor licence compliance management |
| Usage Data | Login timestamps, feature usage, audit logs | Security, fraud prevention, product improvement |
| Communications | Support messages, email correspondence | Customer support and service delivery |
| Waitlist Data | Name, email, company, worker count | Pre-launch interest and founding member programme |
3. Lawful Basis for Processing
We process personal data under the following lawful bases:
- Contract: Processing necessary to provide our platform services under our Terms of Service.
- Legitimate Interests: Security monitoring, fraud prevention, product analytics, and service improvement.
- Legal Obligation: Compliance with UK law, including financial record-keeping and responding to lawful requests.
- Consent: Marketing communications and optional cookies. You may withdraw consent at any time.
4. Data Sharing and Third Parties
We share data only with trusted service providers who process data on our behalf:
- Stripe — Payment processing. Stripe is PCI DSS compliant and operates under its own privacy policy.
- Manus Platform — Cloud infrastructure, authentication, and AI services.
- Google Maps — Route mapping and address geocoding (anonymised queries only).
We do not sell, rent, or trade personal data with third parties for marketing purposes. We do not transfer data outside the UK/EEA without appropriate safeguards.
5. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | Duration of subscription + 30 days | Service delivery; 30-day read-only access post-cancellation |
| Billing records | 7 years | HMRC financial record-keeping requirements |
| Worker compliance records | Duration of subscription + 30 days | Active compliance management |
| Audit logs | 2 years | Security and fraud investigation |
| Waitlist data | Until account creation or 2 years | Pre-launch communications |
| Support communications | 3 years | Dispute resolution and service improvement |
6. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
Right of Access
Request a copy of all personal data we hold about you.
Right to Rectification
Request correction of inaccurate or incomplete data.
Right to Erasure
Request deletion of your data ('right to be forgotten').
Right to Restriction
Request we limit how we process your data.
Right to Portability
Receive your data in a machine-readable format.
Right to Object
Object to processing based on legitimate interests.
Withdraw Consent
Withdraw consent for consent-based processing at any time.
Lodge a Complaint
Complain to the ICO at ico.org.uk if you believe we have mishandled your data.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. Authenticated users can also request data export or account deletion directly from their account settings.
7. Cookies and Tracking
We use the following types of cookies:
| Type | Purpose | Consent Required |
|---|---|---|
| Essential | Session authentication, security tokens, CSRF protection | No — strictly necessary |
| Analytics | Anonymous usage statistics to improve the platform | Yes — requires consent |
| Preferences | Remembering your settings (theme, language) | Yes — requires consent |
You can manage your cookie preferences at any time using the cookie consent banner or by contacting us. Withdrawing consent for non-essential cookies will not affect your ability to use the platform.
8. Security Measures
We implement industry-standard security measures to protect your data, including:
- TLS/HTTPS encryption for all data in transit
- Encrypted database storage for sensitive fields
- Role-based access controls (RBAC) within organisations
- Comprehensive audit logging of all data access
- Rate limiting and brute-force protection on all API endpoints
- Regular security reviews and penetration testing
- Stripe PCI DSS compliance for payment data
9. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours and affected individuals without undue delay, as required by UK GDPR Article 33.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes via email or a prominent notice on the platform. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of the platform after changes constitutes acceptance of the updated policy.
11. Contact Us
For any privacy-related queries, requests, or complaints, please contact our Data Protection Officer:
Sponsor Complians Limited — Data Protection
Email: [email protected]
ICO Registration: Pending (platform launches 1 April 2026)
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).