Privacy Policy

1. Who We Are

WorkTransit AI Ltd ("WorkTransit AI", "we", "us", or "our") provides workforce transition, employability, employer, and programme-delivery software. This policy explains how we collect, use, store, and share personal data when people visit our websites, use our platform, or interact with us.

If you have privacy questions, you can contact us at privacy@worktransit.ai.

2. Scope of This Policy

This policy applies to prospective customers, tenant administrators, advisers, employers, end users, and website visitors. In some cases, an organisation using WorkTransit AI may also act as a controller of user data for its own programme. Where that applies, the organisation's own privacy materials may also be relevant.

3. Personal Data We Collect

• Identity and account data, such as name, email address, role, organisation, and login credentials.
• Profile and transition data, such as employment history, qualifications, skills, goals, CV content, and pathway activity.
• Assessment and learning data, such as responses, scores, progress, recommendations, and feedback.
• Employer and opportunity data, such as vacancies, interview activity, job matches, and application-related records.
• Billing and commercial data, such as subscription details, usage records, invoice information, and service interactions.
• Technical and usage data, such as IP address, browser details, device signals, logs, cookies, and platform events.
• Support and communications data, such as messages, tickets, notifications, and correspondence with us.

4. How We Collect Data

• Directly from you when you register, upload files, complete forms, or contact us.
• From your organisation, adviser, training provider, or employer when they invite you or administer a programme.
• Automatically through platform logs, cookies, analytics, and security monitoring.
• From integrated systems or service providers where this is enabled by your organisation or by you.

5. Why We Use Personal Data

• To provide accounts, authentication, security, and access control.
• To deliver pathway recommendations, assessments, job matching, CV tools, and related platform services.
• To personalise user experience, improve quality, and support programme operations.
• To run billing, finance, support, reporting, and customer relationship processes.
• To monitor service performance, detect misuse, investigate incidents, and maintain resilience.
• To comply with law, regulation, contractual commitments, and lawful requests.

6. Lawful Bases

Depending on the context, we rely on one or more of the following lawful bases:

• Contract, where processing is necessary to provide the service requested.
• Legitimate interests, including service improvement, fraud prevention, security, and programme administration.
• Legal obligation, where we must retain or disclose data to comply with applicable law.
• Consent, where we offer optional analytics, marketing, or similar elective processing.

7. AI and Automated Processing

Some features use AI to generate summaries, recommendations, draft documents, assessments, or insights. These outputs are assistive and may require review. We do not intend AI outputs alone to make decisions with legal or similarly significant effects on individuals. See our AI Transparency Notice for more detail.

8. Sharing Personal Data

We do not sell personal data. We may share data with:

• Your organisation, programme team, adviser, employer, or training provider where relevant to the service.
• Technology and infrastructure sub-processors acting on our instructions (see below).
• Professional advisers, auditors, regulators, law-enforcement bodies, or courts where required or appropriate.
• A buyer or successor organisation in connection with a corporate transaction, subject to appropriate safeguards.

Key sub-processors

We use a limited number of trusted third-party processors to deliver the platform. These are selected for reliability and contractual compliance and include, but may not be limited to:

• Cloud infrastructure provider — hosts the platform, databases, and file storage.
• Anthropic — provides AI model inference for CV generation, coaching, assessment, and insight features.
• Stripe — processes payment card data and manages billing records for paid subscriptions.
• Sentry — receives anonymised error and performance telemetry to support platform reliability.
• Email delivery provider — sends transactional and notification emails on our behalf.
• Neo4j — stores and queries the skills ontology graph used for skill mapping and transition analysis.

An up-to-date list is available on request by contacting privacy@worktransit.ai.

9. International Transfers

Where personal data is transferred outside the UK, we take steps to ensure an appropriate level of protection, such as contractual safeguards, vendor due diligence, and other recognised transfer mechanisms where required.

10. Security and Breach Response

We use technical and organisational measures designed to protect personal data, including access controls, audit logging, encryption in transit where appropriate, least-privilege permissions, monitoring, and incident-management processes. No system can be guaranteed to be completely secure, so users should also protect their credentials and devices.

In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware, as required by UK GDPR Article 33. Where a breach is likely to result in a high risk to individuals, we will also notify affected individuals without undue delay under Article 34. Notifications will be made via the contact details held in your account or, where individual contact is not possible, through a public communication.

11. Retention

We retain data for as long as needed for the relevant purpose, including service delivery, contractual recordkeeping, compliance, audit, and dispute handling. Indicative retention periods are set out below:

• Account and profile data — for the duration of an active account, then up to 7 years after closure for contractual and legal compliance purposes, unless earlier deletion is requested.
• CV, pathway, assessment, and learning data — for the duration of a programme or active account, and typically no longer than 3 years after last activity unless contractually required otherwise.
• Billing and financial records — 7 years from the relevant transaction date, in line with UK financial record-keeping obligations.
• Audit and security logs — up to 2 years, depending on operational and compliance needs.
• Chat and coaching messages — for the duration of an active account; users may delete individual messages at any time.
• Support correspondence — up to 3 years after closure of a support case.
• Cookie and consent records — up to 3 years from the date of consent to support accountability obligations.
• Anonymised analytics data — may be retained indefinitely as it is not linked to identifiable individuals.

Specific retention arrangements for enterprise and public-sector customers may be set out in the applicable data processing agreement. Where data is no longer needed, we delete it, anonymise it, or restrict its use as appropriate.

12. Your Rights

Subject to applicable law, you have the following rights over your personal data:

• Access (Article 15) — request a copy of the personal data we hold about you. You can download your data directly from your account settings.
• Rectification (Article 16) — correct inaccurate or incomplete personal data, including through your profile settings or by contacting us.
• Erasure (Article 17) — request deletion of your personal data in certain circumstances. You can request account deletion from your settings page, which initiates a 30-day grace period followed by anonymisation and permanent deletion.
• Restriction (Article 18) — request that we restrict processing of your data in certain circumstances.
• Portability (Article 20) — receive your data in a structured, machine-readable format and transfer it to another service where applicable.
• Object (Article 21) — object to processing based on legitimate interests, including profiling. Where your objection relates to direct marketing, we will always honour it. For other purposes, we will consider the objection and cease processing unless we have compelling legitimate grounds.
• Automated decision-making (Article 22) — we do not use solely automated processing to make decisions that produce legal or similarly significant effects. AI outputs on the platform are assistive and subject to human review. If you believe an automated process has significantly affected you, contact us and we will arrange human review.
• Withdraw consent — where processing depends on your consent, you may withdraw it at any time through your account settings or by contacting us. Withdrawal does not affect the lawfulness of prior processing.

To exercise these rights, contact privacy@worktransit.ai or use the data rights tools in your account settings. We will respond within one month. You may also complain to the Information Commissioner's Office at ico.org.uk.

13. Cookies and Similar Technologies

We use cookies and similar technologies for security, authentication, preferences, analytics, and service improvement. More detail is available in our Cookie Policy.

14. Changes to This Policy

We may update this policy from time to time. We will publish the latest version here and update the "last updated" date above. Material changes may also be notified through the platform or by email where appropriate.