Privacy Policy
Last Updated: April 11, 2026
1. Introduction
FursaFlow Ltd ("we," "us," or "our") is the data controller for personal data processed through fursaflow.com (the "Platform"). We are registered in England & Wales and registered with the Information Commissioner's Office (ICO) as required under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This Privacy Policy explains what personal data we collect, the legal basis for processing it, how long we retain it, and the rights you have over your data. By using the Platform, you acknowledge this policy.
2. Data We Collect and Our Legal Bases
2.1 Account Data
When you register, we collect your email address, username, encrypted password, and account type (learner, company, or mentor).
Lawful basis: Performance of a contract (your account agreement with us).
2.2 Profile Data
To connect you with opportunities, we collect your display name, bio, skills, experience level, portfolio information, profile photo, and optionally your location and professional links. For companies we also collect company name and description.
Lawful basis: Performance of a contract; legitimate interest (enabling platform matching and discovery).
2.3 Project and Engagement Data
When you participate in projects, we collect project postings, applications, submissions, messages between users, feedback and ratings, and portfolio items.
Lawful basis: Performance of a contract.
2.4 Payment Data
For paid projects, we collect transaction history and payment records. We use secure payment processors and do not store complete card details.
Lawful basis: Performance of a contract; legal obligation (financial record-keeping).
2.5 Usage and Analytics Data
We automatically collect IP address, device and browser information, pages visited, features used, time on pages, and referral sources to understand how the Platform is used.
Lawful basis: Consent (for analytics and tracking cookies, as described in our Cookie Policy). Where you have not given consent, or have withdrawn it, we limit collection to essential technical data only, under legitimate interest. Data retained for 13 months on a rolling basis.
2.6 Support and Communications Data
When you contact us, we collect the contents of your messages and our responses.
Lawful basis: Legitimate interest (resolving support requests and maintaining service quality).
2.7 Cookies
We use cookies as described in our Cookie Policy. Non-essential cookies are only set after you provide consent.
3. How We Use Your Data
We use your data only for the purposes disclosed at the point of collection and within the lawful bases stated above:
- To create and manage your account
- To connect learners with project opportunities through the Platform
- To facilitate communications between users
- To process payments and maintain financial records
- To improve Platform features and user experience
- To send transactional emails (project updates, account notifications)
- To send marketing communications where you have given consent (you may withdraw at any time)
- To comply with legal obligations and protect against fraud
We will not use your data for any new purpose without giving you prior notice and, where required, obtaining your consent.
4. Data Sharing
We do not sell, rent, or share your personal data with third parties for commercial or marketing purposes.
We use infrastructure service providers (hosting, transactional email delivery) to operate the Platform. These providers act only on our instructions under contractual data processing obligations and may not use your data for their own purposes.
Data you make visible within the Platform — for example, your profile or project submission visible to a company whose project you join — is shared as part of the core service you have opted into. This is not sharing with third parties.
We may disclose data where required by law, court order, or regulatory authority.
In the event of a merger, acquisition, or sale of assets, we will notify you before your data becomes subject to a materially different privacy policy.
5. International Transfers
Where we transfer personal data outside the UK or European Economic Area, we ensure appropriate safeguards are in place. This includes relying on adequacy decisions made by the UK Secretary of State or the European Commission where available, and using Standard Contractual Clauses (SCCs) or other approved mechanisms where not.
We do not transfer data to regions where we cannot ensure an adequate level of protection.
6. Data Retention
We retain your data only for as long as necessary for the purposes set out in this policy or to comply with legal obligations:
| Data Category | Retention Period |
|---|---|
| Account data | Duration of account + 2 years after closure |
| Project and engagement records | 3 years from project completion |
| Payment records | 7 years (HMRC requirement) |
| Support and communications records | 3 years |
| Usage and analytics data | 13 months (rolling) |
7. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Request correction of inaccurate or incomplete data.
- Erasure: Request deletion of your data where there is no lawful reason to continue processing it.
- Restriction: Request that we limit processing of your data in certain circumstances.
- Portability: Receive your data in a structured, machine-readable format.
- Objection: Object to processing based on legitimate interest.
- Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
- Automated Decision-Making: The right not to be subject to a decision based solely on automated processing, including profiling, where it produces a significant legal or similarly significant effect on you. FursaFlow does not currently make solely automated decisions that produce such effects.
We will respond to all rights requests within 30 days. To exercise your rights, contact privacy@fursaflow.com.
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
8. Security
We implement industry-standard security measures including:
- Encryption: All data in transit uses TLS/SSL encryption
- Password Security: Passwords are hashed using bcrypt
- Access Controls: Strict internal access limitations based on role
- Regular Audits: Security assessments and vulnerability testing
No method of transmission over the internet is 100% secure. We strive to protect your data but cannot guarantee absolute security. In the event of a breach that is likely to affect your rights and freedoms, we will notify you and the ICO within 72 hours as required by law.
9. Age Requirement
FursaFlow is for users aged 18 and over. We do not knowingly collect data from persons under 18. If we discover that an account belongs to a person under 18, we will delete the account and all associated data without notice.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified to registered users with at least 30 days' notice. The updated policy will be published on this page with a revised "Last Updated" date.
11. Contact
For all privacy and data protection queries:
We aim to respond within 48 hours and will always respond within the 30-day legal requirement.
FursaFlow Ltd, London, United Kingdom. Registered in England & Wales.
Company registration number: [TO BE CONFIRMED — REGISTER AT COMPANIES HOUSE BEFORE LAUNCH].
ICO registration reference: [TO BE CONFIRMED — REGISTER WITH ICO BEFORE LAUNCH].
Data Protection Officer: FursaFlow Ltd does not currently meet the threshold requiring mandatory appointment of a Data Protection Officer under Article 37 UK GDPR. All data protection queries should be directed to privacy@fursaflow.com.