Effective date: 26 August 2025
Who We Are
This Privacy Policy explains how CareerSeat (“we”, “us”, “our”) collects, uses, and shares information when you visit our site or use our services. For most website and account-related data, we act as a data controller. When an organisation uses CareerSeat for its employees, we typically act as a data processor on that organisation’s behalf. If you have questions, contact support@careerseat.com.
Scope
This Policy covers our website pages and the CareerSeat application. It applies to visitors, registered users, and organisational users invited by their employer.
Information We Collect
- Account & Profile: name, email, username, password (hashed), company linkage, role/permissions.
- Organisation Data: teams, objectives, awards, feedback, and related history created within your organisation.
- Usage & Logs: device/ browser info, IP address, timestamps, session IDs, activity logs, error logs.
- Content You Provide: objectives, references, feedback, votes, and any text/images you submit.
- Payments (from 2026): subscription details will be handled via a third-party processor (e.g. Stripe). We don’t store full card details.
- Cookies & Analytics: we use cookies and Google Analytics to understand usage and improve the service.
How We Use Information
- Provide and maintain the service (auth, permissions, leaderboards, objectives, awards, votes).
- Operate monthly/annual cycles and organisation quotas, and display history and public profiles (when enabled).
- Communicate updates, security alerts, and service messages.
- Improve performance, fix bugs, and analyse product usage (aggregated/ de-identified where possible).
- Billing and account management (from 2026).
- Comply with legal obligations and enforce Terms of Service.
Legal Bases (UK GDPR)
- Contract: to provide the service you requested.
- Legitimate interests: security, product improvement, reasonable analytics, preventing abuse.
- Consent: where required (e.g., non-essential cookies/marketing).
- Legal obligation: to comply with law or lawful requests.
Sharing & Disclosure
- Within your organisation: admins/managers can view relevant data (e.g., objectives, awards, leaderboards).
- Public data (optional): some fields (e.g., references, certain objectives/awards) can be marked public and may appear on public profiles or leaderboards depending on your organisation’s settings.
- Service providers (processors): hosting, email delivery, analytics, payment processing (from 2026). We require appropriate data protection commitments.
- Legal: if required by law, to protect rights, security, or prevent fraud/abuse.
- Business changes: as part of a merger, acquisition, or asset transfer, subject to this Policy.
International Transfers
Some providers (e.g., analytics, email, payments) may process data outside the UK/EEA. Where applicable, we rely on adequacy decisions or standard contractual clauses and implement appropriate safeguards.
Retention
- Account data: kept while your account is active. If you request deletion, we’ll delete or anonymise unless required to retain by law.
- Organisation records (e.g., awards, objectives, logs): retained per the organisation’s settings and our legitimate interests in maintaining an audit trail. Public items remain public until removed by admins or you (where configurable).
- Server logs & security logs: typically retained up to 12 months unless needed longer for investigations.
- Billing records (from 2026): retained as required for accounting/legal compliance.
Cookies & Analytics
We use essential cookies for authentication and security, and Google Analytics to understand usage trends. You can control non-essential cookies via your browser or available site controls where offered.
| Type | Purpose | Examples |
|---|---|---|
| Essential | Login sessions, CSRF protection, load balancing | sessionid, csrf_token |
| Analytics | Usage metrics and diagnostics | Google Analytics (GA4) |
Your Rights
Subject to applicable law, you have the right to request access, rectification, erasure, restriction, portability, and to object to certain processing. Where we rely on consent, you can withdraw it at any time. If we process data on behalf of your employer, please direct requests to your organisation first; we will assist them as a processor. You can also contact us at support@careerseat.com.
You have the right to complain to your local data protection authority. In the UK, this is the Information Commissioner’s Office (ICO).
Security
We take reasonable technical and organisational measures to protect data, including encryption in transit (HTTPS), password hashing, role-based access controls, CSRF protections, prepared statements for database access, and regular logging/monitoring. No system is perfectly secure; please keep your credentials safe and tell us if you suspect unauthorised access.
Children
CareerSeat is aimed at workplaces and is not directed to children. Do not use the service if you are under the minimum working age in your jurisdiction.
Processor/Controller Roles
When you use CareerSeat as an organisation, you (the organisation) are the data controller for employee data entered into the platform, and we act as your processor. We can provide a Data Processing Addendum (DPA) on request. For our website and account operations, we act as a controller.
Billing & Monitoring (from 2026)
From 2026, for billing purposes we will monitor the maximum number of linked user accounts your organisation has within a calendar month to determine the correct subscription tier. If you believe an account was linked in error, please contact support@careerseat.com promptly to avoid an up-charge.
Changes to This Policy
We may update this Policy from time to time. We’ll change the “Effective date” above and, where appropriate, provide additional notice via email.
Contact
Questions or requests about this Policy or your data? Email support@careerseat.com.
This page is provided for general information and does not constitute legal advice.