Right To Work Checker

Privacy Policy

Last updated 2026-05-11.

This Service processes two distinct categories of personal data with very different handling: customer data (yours) and applicant data (the subject of a check). Treat them as separate flows.

1. Customer data

When you sign up we collect your email, hashed password (via Supabase Auth), billing metadata, and aggregate usage counts (no per-check PII). This data identifies your account and supports billing, fraud prevention, and product analytics.

  • Lawful basis: contract performance and legitimate interests (security, accounting).
  • Retention: while your tenant is active and for 7 years after closure (HMRC requirement on billing records).
  • Recipients: Supabase (auth + DB), Stripe (payments), Fly.io (hosting), Resend (transactional email).

2. Applicant data

When you call POST /api/check, gov.uk's right-to-work form is driven on your behalf with the share code, applicant date of birth, and your company name. The gov.uk response contains the applicant's name, nationality, photo, permission type, conditions, and audit reference.

We do not persist any of this data. The applicant payload exists in memory for the duration of the request (typically <15 seconds) and is then discarded. We do not log share codes, names, dates of birth, photos, or PDFs. The audit log retains only timestamp, outcome code, and request duration — no identifying values.

  • You are the Controller for applicant data; you must have a lawful basis (typically employment/letting compliance) to process it.
  • We are the Processor acting only on your documented instructions.
  • Retention: none. The data is not stored after the response is sent.

3. Cookies

We use essential cookies only: Supabase session token and CSRF protection. We do not use analytics or advertising cookies. See our Cookies Notice for the full list.

4. International transfers

Customer and applicant data is processed within the UK and EEA (Supabase EU region, Fly.io London region). No transfers outside the UK/EEA take place during a check.

5. Your rights

You have rights of access, rectification, erasure, restriction, portability, and objection under UK GDPR. Because we do not retain applicant PII there is nothing to erase about a checked applicant; their data is already gone. For customer data, write to privacy@rtwchecker.dev or delete your account from the dashboard.

6. Security

API keys are stored only as SHA-256 hashes; plaintext is shown once on creation. All traffic uses TLS. Card data is handled entirely by Stripe and never touches our servers.

7. Complaints

If you are not satisfied with our handling of your data you may complain to the UK Information Commissioner's Office at ico.org.uk.