Privacy policy
Last updated: 5 July 2026 · TODO(founder): confirm entity details before launch.
1. Who we are
SponsorFort (“we”, “us”) provides sponsor-licence compliance software at sponsorfort.com. For personal data you enter about your own staff and candidates, you are the controller and we are your processor (see the Data Processing Agreement). For account, billing and website data, we are the controller. Contact: privacy@sponsorfort.com. TODO(founder): add registered company name, number and address; register with the ICO and add the registration number.
2. What we collect and why
| Data | Purpose | Lawful basis |
|---|---|---|
| Account data — name, email, password hash | Sign-in, security, service messages | Contract |
| Organisation & licence records you enter | Providing the service (as your processor) | Your instructions under the DPA |
| Worker records & documents you upload | Providing the service (as your processor) | Your instructions under the DPA |
| Billing data (via Stripe) | Payments, VAT invoices, fraud prevention | Contract; legal obligation |
| Audit log (who did what, when, IP) | Security and compliance record-keeping | Legitimate interests |
| Analytics events (consent-gated) | Understanding product usage | Consent |
| Lead-magnet answers & email | Sending your results; updates if opted in | Consent |
3. Where your data lives
Application data and documents are stored in the United Kingdom (London, AWS eu-west-2, via Supabase), encrypted in transit and at rest. Some subprocessors (below) process limited data outside the UK under appropriate safeguards (UK IDTA / EU SCCs as applicable).
4. Subprocessors
- Vercel (hosting; USA/EU)
- Supabase (database, auth, file storage; London, UK)
- Stripe (payments and tax; USA/EU)
- Resend (transactional email; USA/EU)
- PostHog (product analytics; EU — consent-gated)
- Sentry (error monitoring; USA/EU)
- Anthropic (optional AI drafting of report text; USA — only when enabled)
5. Retention
Organisation data is kept while you subscribe and for 90 days after cancellation so you can export it, then deleted. Deletion requests are honoured with a 7-day grace period. Audit logs and billing records may be kept longer where the law requires. Lead-magnet data is deleted on request or after 24 months of inactivity.
6. Your rights
You have UK GDPR rights of access, rectification, erasure, restriction, portability and objection. Where we act as processor, we'll route requests to the relevant employer (our customer). Contact privacy@sponsorfort.com; you may also complain to the ICO (ico.org.uk).
7. Changes
We'll post changes here and email account owners about material ones at least 14 days before they take effect.