Sponsio
Sign inFind jobs
Legal

Privacy Notice

This notice explains what personal data Sponsio collects when you use the Service, why we collect it, how long we keep it, who we share it with, and the rights you have under United Kingdom and European data-protection law.

Last updated: 24 May 2026

1. Who we are

In this notice “Sponsio”, “we”, “us” and “our” mean the operator of the Sponsio website and any related services (together, the “Service”). Sponsio is the controller of the personal data described in this notice for the purposes of the UK General Data Protection Regulation, the Data Protection Act 2018 and, where applicable to you, the EU General Data Protection Regulation (together, the “Data Protection Laws”).

The Service is operated by the Sponsio team, which acts as the controllerof your personal data. For our full corporate registration details and, where applicable, our United Kingdom Information Commissioner’s Office (ICO) registration number, or to exercise any of the rights described in this notice, contact us at privacy@sponsio.com and we will provide them.

Data Protection Officer. We have assessed our processing activities against Article 37 of the UK GDPR and the EU GDPR. At the date of this notice we are not required to appoint a Data Protection Officer; if that position changes, we will appoint one and update this notice. Our point of contact for all matters covered by this notice is privacy@sponsio.com.

UK / EU representative. Where, and to the extent that, we are required to appoint a representative under Article 27 of the UK GDPR (for non-UK established controllers processing the data of individuals in the United Kingdom) or Article 27 of the EU GDPR (for non-EEA established controllers processing the data of individuals in the European Economic Area), we will appoint one and publish its name and contact details here. In the meantime, you can reach us about any UK or EU data protection matter at privacy@sponsio.com.

You can contact us about anything in this notice by emailing privacy@sponsio.com.

2. What this notice covers

This notice applies to personal data we collect when you visit the Service, when you create an account, when you use the public sponsor search and resources, and when you sign in to view personalised job suggestions. It does not apply to third-party websites or services we link to, including GOV.UK and employer career sites, each of which has its own privacy notice.

3. The personal data we collect

We collect the following categories of personal data:

  • Account data— the name and email address you provide at sign-up, and a salted, hashed representation of your password (we never store passwords in plain text).
  • Profile data— information you choose to provide so that we can match you with relevant roles, including your role family, years of experience, visa status or visa goal, and preferred location.
  • Authentication data— session identifiers, refresh tokens and email-confirmation tokens generated by our authentication provider when you sign in or confirm your email address.
  • Usage and technical data— standard server logs generated when you visit the Service, including IP address, approximate location derived from IP, user agent, referring URL, requested URL, response status and timestamp. These logs are kept by our hosting and authentication providers for limited periods to operate, secure and debug the Service.
  • Communications— the content of any message you send us (for example, by emailing the address above or replying to a transactional email).

Payment data. Sponsio is provided free of charge. We do not collect payment information from you.

We do not intentionally collect special-category data (such as data revealing racial or ethnic origin, health, religion, or sexual orientation). Please do not submit such data to us. Your nationality or visa goal may be inferred from the visa field in your profile; you choose what, if anything, to put there.

4. How and why we use your personal data

We process your personal data for the following purposes and on the following lawful bases:

  • To provide the Service to you. Creating and managing your account, authenticating you, generating personalised job suggestions, and operating in-product features. Lawful basis: performance of a contract with you (Article 6(1)(b) UK GDPR / EU GDPR).
  • To send you transactional and service messages. Email-confirmation links, password resets, security notices and material changes to terms or this notice. Lawful basis: performance of a contract and legal obligation (Article 6(1)(b) and 6(1)(c)).
  • To keep the Service secure and prevent abuse. Detecting and investigating suspicious sign-ins, scraping, fraud and other misuse; protecting the integrity of our systems. Lawful basis: legitimate interests (Article 6(1)(f)) in operating a secure service. Where we rely on legitimate interests, we balance them against your rights and freedoms; you may object as described in section 8.
  • To improve the Service. Analysing aggregated, non-identifying patterns of use to fix bugs and improve job matching. Lawful basis: legitimate interests (Article 6(1)(f)) in improving our product. For this purpose we use Vercel Analytics, a cookieless, first-party analytics tool that anonymises IP addresses on Vercel’s servers and does not identify individual visitors. Where you have given consent in our cookie notice, we also use PostHog (EU Cloud) product analytics to understand how features are used, and a Reddit advertising pixel to measure the performance of campaigns that bring people to the Service. We do not use session-replay tools, so we never record your screen.
  • To comply with law. Responding to lawful requests from public authorities, regulators and courts, and meeting our own statutory and regulatory obligations. Lawful basis: legal obligation (Article 6(1)(c)) and, where relevant, our legitimate interests in defending legal claims (Article 6(1)(f)).

Marketing. Where you have ticked the optional “email me product updates” box during sign-up or in your profile settings, we store that preference so we can send product updates, sponsor news and research tips for international job seekers. The lawful basis is your consent (Article 6(1)(a) UK GDPR / EU GDPR) and regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). The box is unticked by default and is kept separate from our terms acceptance. You may withdraw consent at any time, with no impact on your account, by unticking the box on your profile page or emailing privacy@sponsio.com. Service emails about your account (sign-in confirmations, password resets) are sent on a different lawful basis (performance of contract) and are not affected by this preference.

No solely-automated decisions with legal or similarly significant effects. Our matcher generates indicative scores and labels (for example Strong licence match or Needs review) to surface relevant jobs for you. These labels are informational only and a human (you) makes the decision whether to apply. We do not make any decision producing legal effects concerning you, or similarly significantly affecting you, that is based solely on automated processing within the meaning of Article 22 of the UK GDPR / EU GDPR.

5. Sponsor licence data and job listings

The UK Register of Licensed Sponsors: Workers is published by the Home Office and re-used by us under the Open Government Licence v3.0. The register contains organisation-level information, not personal data about you, and is not derived from anything you do on the Service.

Job listings shown on the Service come from employer career sites, ATS feeds and selected job sources, and may include third-party or aggregator data. Where these listings include the name or contact details of an individual recruiter, those individuals are not customers of Sponsio; we process such data only to the extent necessary to display the public posting to signed-in users and on the basis of our legitimate interests (Article 6(1)(f)) in providing a sponsor-aware job-discovery service. Recruiters who wish their details suppressed should contact us at the address above. Where the personal data of a recruiter or hiring contact is not collected directly from that individual but is obtained from a publicly-available job posting, we rely on the publication of this notice to provide the information required by Article 14 of the UK GDPR / EU GDPR; if you are such an individual you can exercise any of the rights described in section 8 by contacting us at the address above.

6. Who we share your personal data with

We do not sell your personal data. We share it only with the categories of recipient set out below. Where you have accepted optional cookies, Reddit may receive limited page-visit and conversion data through the Reddit advertising pixel as described in our Cookies Notice.

  • Our processors and infrastructure providers acting on our written instructions and bound by data-processing agreements: Supabase (authenticated database and authentication; EU region) and Vercel (hosting, content delivery and edge routing).
  • Optional AI providers where an AI feature is clearly enabled in the product. We may send limited profile and job details needed to generate explanations or summaries to an AI provider such as DeepSeek or Groq. We do not use AI providers to make visa, employment or legal decisions about you.
  • Third-party data sources we query on the server side to populate sponsor and job data (the GOV.UK sponsor register and the applicant tracking systems used by individual employers). These queries are made by our servers and do not include your account identifier, email address or profile data.
  • Professional advisers (lawyers, accountants, auditors, insurers) when we need their advice and where they are bound by professional confidentiality.
  • Public authorities, regulators and courts where we are required to disclose information by law.
  • Successors in the event of a merger, sale, re-organisation or acquisition affecting Sponsio. Personal data shared in those circumstances will continue to be protected by a notice substantially similar to this one.

Changes to our sub-processors. If we add or replace a sub-processor that materially changes the categories of recipient or the location of processing of your personal data (for example by moving primary storage to a new provider or region), we will update this notice and take reasonable steps to bring the change to your attention before it takes effect.

7. International transfers

Account data and profile data are stored at rest in the European Union (EU). Some of our service providers operate global edge networks (for example for content delivery) and may briefly process request metadata in regions outside the United Kingdom or the European Economic Area (EEA). Where any transfer of your personal data outside the UK or EEA takes place, it is protected by an appropriate safeguard recognised under the Data Protection Laws, including the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or the EU Standard Contractual Clauses, together with a transfer risk assessment.

8. Your rights

Subject to the conditions and exemptions in the Data Protection Laws, you have the following rights in respect of your personal data:

  • Access— to be told whether we hold personal data about you and to receive a copy of it;
  • Rectification— to have inaccurate or incomplete personal data corrected;
  • Erasure— to ask us to delete your personal data in defined circumstances, including by closing your account;
  • Restriction— to ask us to limit our processing of your personal data in defined circumstances;
  • Portability— to receive personal data you have provided to us in a structured, commonly used, machine-readable format and to ask us to transmit it to another controller, where technically feasible;
  • Objection— to object to processing based on our legitimate interests on grounds relating to your particular situation;
  • Withdraw consent— where we rely on your consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal;
  • Not be subject to solely-automated decision-making — the right under Article 22 of the UK GDPR / EU GDPR not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you, and the right to obtain human intervention. As described in section 4, we do not currently engage in any such processing;
  • Complain— to lodge a complaint with a supervisory authority, in particular the UK Information Commissioner’s Office (ICO) or, if you are in the EEA, your local data-protection authority. We would, however, appreciate the chance to address your concerns first.

Some of these rights can be exercised directly in the Service. On your profile page, signed-in users can download a JSON copy of the personal data we hold about them (right of access / portability), withdraw marketing consent, and permanently delete their account (right to erasure). For any other request, or if you cannot access the in-app controls, email privacy@sponsio.com from the address associated with your account. We may need to verify your identity before acting on a request and will respond within the time limits required by law (normally one month).

9. How long we keep your personal data

We retain personal data only for as long as is necessary for the purposes for which it was collected, unless a longer retention period is required or permitted by law. In particular:

  • Account and profile data are retained while your account is active and for a short reconciliation period after account deletion (typically up to 30 days) before hard-deletion from primary systems and a further period before expiry from encrypted backups;
  • Authentication and security logs are retained by our authentication provider for a limited period sufficient for fraud prevention and incident response;
  • Hosting access logs are retained by our hosting provider for short, rolling periods sufficient to operate, secure and debug the Service;
  • Communications with us are retained for as long as we need them to address your query and, where relevant, to defend legal claims, in accordance with applicable limitation periods.

10. Cookies

The Service uses strictly necessary cookies for authentication and security and, where you have given consent, PostHog product-analytics storage and a Reddit advertising pixel to measure campaign performance. We also use Vercel Analytics, which does not set cookies or other identifiers on your device and anonymises IP addresses on Vercel’s servers. We do not use session-replay or heat-mapping tools. See our Cookies Notice for full detail.

11. Children

The Service is not directed to children. We do not knowingly collect personal data from anyone under 16. The digital-services consent age set by Article 8 of the UK GDPR / EU GDPR is 13 in the United Kingdom (under section 9 of the Data Protection Act 2018) and varies between 13 and 16 across EEA states; we apply the higher age of 16 as a precaution across all jurisdictions. Account creation is in any event restricted to adults under our Terms of Service. If you believe a child has provided us with personal data, please contact us at the address above and we will take steps to delete it.

12. Security

We use technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure or destruction, including encryption in transit, encryption at rest, salted password hashing, role-based access controls, and row-level security on our database. No system is perfectly secure; if you believe your account may have been compromised, contact us immediately.

13. Personal-data breaches

If we become aware of a personal-data breach affecting your personal data, we will notify the United Kingdom Information Commissioner’s Office (and, where applicable, the relevant supervisory authority in the European Economic Area) without undue delay and, where feasible, no later than 72 hours after becoming aware of it, as required by Article 33 of the UK GDPR / EU GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly and without undue delay, in clear and plain language, in accordance with Article 34 of the UK GDPR / EU GDPR. We maintain an internal register of personal-data breaches in line with Article 33(5).

14. Changes to this notice

We may update this notice from time to time. The date at the top of the notice indicates when it was last revised. Where changes are material we will take reasonable steps to bring them to your attention, for example by email or by an in-product notice before the changes take effect.

15. How to contact us

For privacy questions, requests to exercise your rights or concerns about our handling of your personal data, please email privacy@sponsio.com.

← Back to Sponsio home