Skip to content

DRAFT — have reviewed by a solicitor before charging customers. Prepared for UK GDPR; not itself legal advice.

Privacy policy

Last updated: 5 July 2026 · TODO(founder): confirm entity details before launch.

1. Who we are

SponsorFort (“we”, “us”) provides sponsor-licence compliance software at sponsorfort.com. For personal data you enter about your own staff and candidates, you are the controller and we are your processor (see the Data Processing Agreement). For account, billing and website data, we are the controller. Contact: privacy@sponsorfort.com. TODO(founder): add registered company name, number and address; register with the ICO and add the registration number.

2. What we collect and why

DataPurposeLawful basis
Account data — name, email, password hashSign-in, security, service messagesContract
Organisation & licence records you enterProviding the service (as your processor)Your instructions under the DPA
Worker records & documents you uploadProviding the service (as your processor)Your instructions under the DPA
Billing data (via Stripe)Payments, VAT invoices, fraud preventionContract; legal obligation
Audit log (who did what, when, IP)Security and compliance record-keepingLegitimate interests
Analytics events (consent-gated)Understanding product usageConsent
Lead-magnet answers & emailSending your results; updates if opted inConsent

3. Where your data lives

Application data and documents are stored in the United Kingdom (London, AWS eu-west-2, via Supabase), encrypted in transit and at rest. Some subprocessors (below) process limited data outside the UK under appropriate safeguards (UK IDTA / EU SCCs as applicable).

4. Subprocessors

  • Vercel (hosting; USA/EU)
  • Supabase (database, auth, file storage; London, UK)
  • Stripe (payments and tax; USA/EU)
  • Resend (transactional email; USA/EU)
  • PostHog (product analytics; EU — consent-gated)
  • Sentry (error monitoring; USA/EU)
  • Anthropic (optional AI drafting of report text; USA — only when enabled)

5. Retention

Organisation data is kept while you subscribe and for 90 days after cancellation so you can export it, then deleted. Deletion requests are honoured with a 7-day grace period. Audit logs and billing records may be kept longer where the law requires. Lead-magnet data is deleted on request or after 24 months of inactivity.

6. Your rights

You have UK GDPR rights of access, rectification, erasure, restriction, portability and objection. Where we act as processor, we'll route requests to the relevant employer (our customer). Contact privacy@sponsorfort.com; you may also complain to the ICO (ico.org.uk).

7. Changes

We'll post changes here and email account owners about material ones at least 14 days before they take effect.