Land a sponsored role in the UK — we’ll help you find the right employer
Legal

Privacy Notice

This notice explains what personal data Sponsio collects when you use the Service, why we collect it, how long we keep it, who we share it with, and the rights you have under United Kingdom and European data-protection law.

Last updated: 9 May 2026

1. Who we are

In this notice “Sponsio”, “we”, “us” and “our” mean the operator of the Sponsio website and any related services (together, the “Service”). Sponsio is the controller of the personal data described in this notice for the purposes of the UK General Data Protection Regulation, the Data Protection Act 2018 and, where applicable to you, the EU General Data Protection Regulation (together, the “Data Protection Laws”).

You can contact us about anything in this notice by emailing privacy@sponsio.com.

2. What this notice covers

This notice applies to personal data we collect when you visit the Service, when you create an account, when you use the public sponsor search and resources, and when you sign in to view personalised job suggestions. It does not apply to third-party websites or services we link to, including GOV.UK, employer career sites and LinkedIn, each of which has its own privacy notice.

3. The personal data we collect

We collect the following categories of personal data:

  • Account data— the name and email address you provide at sign-up, and a salted, hashed representation of your password (we never store passwords in plain text).
  • Profile data— information you choose to provide so that we can match you with relevant roles, including your target position, current role, years of experience, visa status or visa goal, and preferred location.
  • Authentication data— session identifiers, refresh tokens and email-confirmation tokens generated by our authentication provider when you sign in or confirm your email address.
  • Usage and technical data— standard server logs generated when you visit the Service, including IP address, approximate location derived from IP, user agent, referring URL, requested URL, response status and timestamp. These logs are kept by our hosting and authentication providers for limited periods to operate, secure and debug the Service.
  • Communications— the content of any message you send us (for example, by emailing the address above or replying to a transactional email).

We do not intentionally collect special-category data (such as data revealing racial or ethnic origin, health, religion, or sexual orientation). Please do not submit such data to us. Your nationality or visa goal may be inferred from the visa field in your profile; you choose what, if anything, to put there.

4. How and why we use your personal data

We process your personal data for the following purposes and on the following lawful bases:

  • To provide the Service to you. Creating and managing your account, authenticating you, generating personalised job suggestions, and operating in-product features. Lawful basis: performance of a contract with you (Article 6(1)(b) UK GDPR / EU GDPR).
  • To send you transactional and service messages. Email-confirmation links, password resets, security notices and material changes to terms or this notice. Lawful basis: performance of a contract and legal obligation (Article 6(1)(b) and 6(1)(c)).
  • To keep the Service secure and prevent abuse. Detecting and investigating suspicious sign-ins, scraping, fraud and other misuse; protecting the integrity of our systems. Lawful basis: legitimate interests (Article 6(1)(f)) in operating a secure service. Where we rely on legitimate interests, we balance them against your rights and freedoms; you may object as described in section 8.
  • To improve the Service. Analysing aggregated, non-identifying patterns of use to fix bugs and improve job matching. Lawful basis: legitimate interests (Article 6(1)(f)) in improving our product. We do not currently use third-party analytics, advertising pixels or session-replay tools.
  • To comply with law. Responding to lawful requests from public authorities, regulators and courts, and meeting our own statutory and regulatory obligations. Lawful basis: legal obligation (Article 6(1)(c)) and, where relevant, our legitimate interests in defending legal claims (Article 6(1)(f)).

5. Sponsor licence data and job listings

The UK Register of Licensed Sponsors: Workers is published by the Home Office and re-used by us under the Open Government Licence v3.0. The register contains organisation-level information, not personal data about you, and is not derived from anything you do on the Service.

Job listings shown on the Service are sourced from public third-party feeds, in particular public LinkedIn job postings obtained through a third-party API. Where these listings include the name or contact details of an individual recruiter, those individuals are not customers of Sponsio; we process such data only to the extent necessary to display the public posting to signed-in users and on the basis of our legitimate interests (Article 6(1)(f)) in providing a sponsor-aware job-discovery service. Recruiters who wish their details suppressed should contact us at the address above.

6. Who we share your personal data with

We do not sell your personal data, and we do not share it with advertisers. We share it only with the categories of recipient set out below:

  • Our processors and infrastructure providers acting on our written instructions and bound by data-processing agreements: Supabase (authenticated database and authentication; EU region) and Vercel (hosting, content delivery and edge routing).
  • Third-party data sources we query on the server side to populate sponsor and job data (including the GOV.UK register and our LinkedIn-jobs data provider). These queries are made by our servers and do not include your account identifier, email address or profile data.
  • Professional advisers (lawyers, accountants, auditors, insurers) when we need their advice and where they are bound by professional confidentiality.
  • Public authorities, regulators and courts where we are required to disclose information by law.
  • Successors in the event of a merger, sale, re-organisation or acquisition affecting Sponsio. Personal data shared in those circumstances will continue to be protected by a notice substantially similar to this one.

7. International transfers

Account data and profile data are stored at rest in the European Union (EU). Some of our service providers operate global edge networks (for example for content delivery) and may briefly process request metadata in regions outside the United Kingdom or the European Economic Area (EEA). Where any transfer of your personal data outside the UK or EEA takes place, it is protected by an appropriate safeguard recognised under the Data Protection Laws, including the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or the EU Standard Contractual Clauses, together with a transfer risk assessment.

8. Your rights

Subject to the conditions and exemptions in the Data Protection Laws, you have the following rights in respect of your personal data:

  • Access— to be told whether we hold personal data about you and to receive a copy of it;
  • Rectification— to have inaccurate or incomplete personal data corrected;
  • Erasure— to ask us to delete your personal data in defined circumstances, including by closing your account;
  • Restriction— to ask us to limit our processing of your personal data in defined circumstances;
  • Portability— to receive personal data you have provided to us in a structured, commonly used, machine-readable format and to ask us to transmit it to another controller, where technically feasible;
  • Objection— to object to processing based on our legitimate interests on grounds relating to your particular situation;
  • Withdraw consent— where we rely on your consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal;
  • Complain— to lodge a complaint with a supervisory authority, in particular the UK Information Commissioner’s Office (ICO) or, if you are in the EEA, your local data-protection authority. We would, however, appreciate the chance to address your concerns first.

To exercise any of these rights, email privacy@sponsio.com from the address associated with your account. We may need to verify your identity before acting on a request and will respond within the time limits required by law (normally one month).

9. How long we keep your personal data

We retain personal data only for as long as is necessary for the purposes for which it was collected, unless a longer retention period is required or permitted by law. In particular:

  • Account and profile data are retained while your account is active and for a short reconciliation period after account deletion (typically up to 30 days) before hard-deletion from primary systems and a further period before expiry from encrypted backups;
  • Authentication and security logs are retained by our authentication provider for a limited period sufficient for fraud prevention and incident response;
  • Hosting access logs are retained by our hosting provider for short, rolling periods sufficient to operate, secure and debug the Service;
  • Communications with us are retained for as long as we need them to address your query and, where relevant, to defend legal claims, in accordance with applicable limitation periods.

10. Cookies

The Service uses only strictly necessary cookies required for authentication and security. We do not use advertising, analytics or tracking cookies. See our Cookies Notice for full detail.

11. Children

The Service is not directed to children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us at the address above and we will take steps to delete it.

12. Security

We use technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure or destruction, including encryption in transit, encryption at rest, salted password hashing, role-based access controls, and row-level security on our database. No system is perfectly secure; if you believe your account may have been compromised, contact us immediately.

13. Changes to this notice

We may update this notice from time to time. The date at the top of the notice indicates when it was last revised. Where changes are material we will take reasonable steps to bring them to your attention, for example by email or by an in-product notice before the changes take effect.

14. How to contact us

For privacy questions, requests to exercise your rights or concerns about our handling of your personal data, please email privacy@sponsio.com.

← Back to Sponsio home