Privacy Policy

1. Data Controller

The data controller responsible for your personal data is:

For any privacy-related inquiries or to exercise your rights, please contact us at the email address above.

2. What Personal Data We Collect

We collect the following categories of personal data:

3. Legal Basis for Processing

We process your personal data based on the following legal grounds under the GDPR:

• Consent (Article 6(1)(a)): When you create an account and explicitly consent to the processing of your personal data. You may withdraw consent at any time.
• Contract Performance (Article 6(1)(b)): Processing necessary to provide our visa facilitation services, including matching workers with employers and processing applications.
• Legal Obligation (Article 6(1)(c)): Retaining payment and transaction records as required by tax and financial regulations.
• Legitimate Interest (Article 6(1)(f)): Improving our platform, preventing fraud, and ensuring security of our services.

4. How We Use Your Data

We use your personal data for the following purposes:

• Account management: Creating and managing your account, authenticating your identity
• Visa application processing: Preparing and submitting work visa applications on your behalf
• Document verification: Using AI (Google Gemini) to verify the authenticity and quality of uploaded documents
• Worker-employer matching: Matching verified worker profiles with employer job requirements
• Payment processing: Processing Job Finder service charges and placement fees through Stripe
• Communication: Sending service-related notifications, profile reminders, and responding to inquiries
• Platform improvement: Analysing usage patterns to improve our services

5. Data Sharing and Third Parties

We share your personal data with the following categories of recipients:

• Supabase (database & storage): Stores your account data, profile information, and uploaded documents. Servers located in the EU.
• Stripe (payment processing): Processes your payments securely. Stripe is certified under the EU-US Data Privacy Framework.
• Google / Gemini AI (document verification): Your uploaded documents are processed by Google's AI to verify authenticity. Google is certified under the EU-US Data Privacy Framework.
• Google Workspace (email): Used to send and receive emails. Google is certified under the EU-US Data Privacy Framework.
• Vercel (hosting): Hosts our website. Vercel complies with GDPR requirements.
• European employers: Your profile data is shared with matched employers only after you have been matched and the visa process has been initiated. We will never share your data with employers without your knowledge.

We do not sell, rent, or trade your personal data to any third party.

6. International Data Transfers

Some of our service providers (Stripe, Google, Vercel) are based in the United States. These transfers are protected by appropriate safeguards including the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs) as required by GDPR. Your data is treated with the same level of protection regardless of where it is processed.

7. Data Retention

We retain your personal data for the following periods:

• Active accounts: Data is retained for as long as your account is active and you maintain a relationship with us.
• Deleted accounts: When you delete your account, all personal data including uploaded documents is permanently deleted within 30 days.
• Payment records: Transaction records are retained for 7 years to comply with tax and financial reporting obligations.
• Contact form messages: Retained for 12 months after the inquiry is resolved, then deleted.

8. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

• Right of Access (Article 15): You can request a copy of all personal data we hold about you.
• Right to Rectification (Article 16): You can correct inaccurate or incomplete personal data through your profile settings.
• Right to Erasure (Article 17): You can delete your account and all associated data at any time through your account settings.
• Right to Data Portability (Article 20): You can download all your personal data in a machine-readable format (JSON) from your account settings.
• Right to Restrict Processing (Article 18): You can request that we limit how we process your data in certain circumstances.
• Right to Object (Article 21): You can object to the processing of your data based on legitimate interest.
• Right to Withdraw Consent: You can withdraw your consent at any time by deleting your account. This does not affect the lawfulness of processing before withdrawal.

To exercise any of these rights, please contact us at contact@workersunited.eu or use the self-service options in your account settings.

9. Data Security

We take the security of your personal data seriously and implement appropriate technical and organisational measures, including:

• All data transmitted between your browser and our servers is encrypted using TLS/SSL (HTTPS)
• Passwords are securely hashed and never stored in plain text
• Documents are stored in encrypted cloud storage with access controls
• Administrative access is restricted and monitored
• Regular security reviews of our infrastructure and code

10. Cookies

We use only essential cookies that are strictly necessary for the functioning of our website:

• Authentication cookies: Used to keep you logged in and maintain your session (set by Supabase Auth)
• Cookie consent: Remembers whether you have acknowledged this cookie notice

We do not use tracking cookies, advertising cookies, or any third-party analytics cookies. Since we only use essential cookies, consent is not required under GDPR, but we inform you of their use for transparency.

11. Children's Privacy

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately and we will take steps to delete it.

12. Non-Personal Information

When you visit our website, we may automatically collect certain non-personal information from your browser, such as your browser type, operating system, and referring website. This information cannot identify you personally.

Non-personal information may be used to analyse trends, administer the site, and gather broad demographic information for aggregate use. This data is never linked to any personal information.

13. Links to Other Sites

Our website may contain links to third-party websites. We are not responsible for the privacy practices or content of these external sites. We encourage you to read the privacy policy of any website you visit. This Privacy Policy applies only to information collected by Workers United through our Platform.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by email or through a notice on the Platform. The "Last updated" date at the top of this policy indicates when it was last revised. We encourage you to review this policy periodically.

15. Right to Lodge a Complaint

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with a data protection supervisory authority. You may contact the supervisory authority in the EU member state where you reside, work, or where the alleged infringement occurred.

You can also contact us directly at contact@workersunited.eu and we will do our best to resolve your concern.