Privacy Policy

1. Introduction

Sellframe Ltd (company number SC472357), a company registered in Scotland, United Kingdom, is the Data Controller responsible for your personal data processed through 4dayweek.io. We are registered with the Information Commissioner's Office (ICO) under registration number ZA781833.

We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR). This policy applies to all users of 4dayweek.io, including job seekers, employers, and visitors.

If you have any questions about this privacy policy or how we handle your personal data, please contact us at [email protected].

2. Information We Collect

We collect and process the following categories of personal data, depending on how you interact with our service. We only collect information that is necessary for the purposes described in this policy.

Account Information

When you create an account, we collect:

• Email address
• Password (stored as a bcrypt hash - we never store your plaintext password)
• Google OAuth identifier (if you sign in with Google)
• Account creation date and last login timestamp

Profile Information

You may optionally provide the following profile information to enhance your experience:

• Full name
• Country of residence
• Biography and personal description
• Social links (LinkedIn, GitHub, Twitter/X, personal website)
• Job preferences (categories, levels, work arrangement)
• Salary expectations and currency preference
• Availability and job-seeking status

Work History & Education

If you choose to add work history or education to your profile, we collect the details you provide, including employer names, job titles, dates of employment, educational institutions, qualifications, and related descriptions.

Resume Data

When you upload a resume, the file is stored securely on DigitalOcean Spaces (cloud object storage). To help structure your profile, the text content of your resume is sent to an AI service for parsing, which extracts information such as skills, work experience, and education.

Job Application Data

When you apply for a job through our platform, we collect:

• Full name and email address
• LinkedIn profile URL (if provided)
• Resume/CV file
• Cover letter (if provided)
• Responses to custom application fields set by the employer
• Responses to qualifier questions (eligibility criteria)
• Application status and tracking data

Employer Data

If you register as an employer, we collect:

• Company profile information (name, description, logo, website, social links, industry, size, location, work schedule policy, benefits)
• Job posting content and metadata
• Stripe customer identifier for billing purposes (we do not store credit card numbers or full payment details - these are held by Stripe)

Analytics & Usage Data

To understand how our service is used and to improve it, we collect:

• IP address - hashed using SHA-256 with a cryptographic salt before storage (see callout below)
• HTTP referrer URL
• UTM campaign parameters
• Job views, saves, and application events
• Page views and navigation patterns

Newsletter Data

If you subscribe to our newsletter, we collect your email address and the source of your opt-in (e.g. website signup form, during account registration). Newsletter subscriptions are managed through Brevo (formerly Sendinblue), a GDPR-compliant email service provider based in France.

3. How We Use Your Information

We process your personal data only where we have a valid legal basis under Article 6(1) of the UK GDPR. The table below sets out each processing purpose along with the corresponding legal basis.

4. Automated Processing and AI

We use artificial intelligence services to improve the quality and accuracy of information displayed on our platform. It is important to understand what data AI processes and what it does not.

Job and company data processing: We use Anthropic Claude (an AI language model) for the following purposes, all of which involve only job and company data - never personal user data:

• Job data enrichment: Extracting structured information (category, level, skills, schedule type) from job descriptions
• Company description generation: Creating informative company profiles from publicly available data
• Location parsing: Identifying and structuring location data from job postings
• Salary parsing: Extracting and normalising salary information from job descriptions

Resume parsing: When you upload a resume, the text content is processed by an AI service to extract structured information such as skills, work experience, and education. This is done solely to populate your profile and improve your experience on the platform.

AI provider data handling:Our AI providers (Anthropic and OpenAI) do not use your data to train their models. Data is sent via encrypted connections and processed in real time. Under the providers’ standard commercial terms, inputs and outputs may be retained on their infrastructure for up to 30 days for trust-and-safety review, after which they are deleted. This is governed by the respective data processing agreements.

No automated decision-making: We do not engage in solely automated decision-making that produces legal effects or similarly significant effects concerning you, as described in Article 22 of the UK GDPR. AI is used only to structure and enrich data - all material decisions (such as whether to display a job listing) involve human oversight.

Caching: AI responses for job and company data are cached for up to 30 days for performance purposes. This cache contains only job and company data, not personal user data.

AI Headshot Pack (selfie processing)

When you buy the AI Headshot Pack we process your uploaded selfies — which are biometric data under UK GDPR Article 9 — to train a private model for your generation pack and produce studio-style headshots. This processing only happens after you provide explicit, informed consent by ticking the consent checkbox on the upload step, which is our legal basis under Article 9(2)(a).

What we store: the selfie image files on DigitalOcean Spaces with private ACLs, a private per-user model trained against those selfies, and the resulting generated photos.

How long we store it: selfies are automatically deleted 7 days after your pack finishes training. Your trained model and generated photos are automatically deleted 30 days after the pack was created. You can delete any of these sooner from your dashboard at any time.

AI provider: model training and image generation are performed by Fal.ai, our sub-processor, via encrypted connections. Fal.ai does not use your data to train its base models, and acts under a contracted data processing agreement limited to the purpose of fulfilling your headshot pack.

No training, no marketing: we do not use your selfies or generated photos to train our own models, to improve outputs for other users, or for any research, marketing, or advertising purpose.

Withdrawing consent: you can withdraw your consent at any time by deleting your selfies and/or generated photos from the dashboard, or by emailing us at [email protected]. Withdrawal does not affect processing that occurred before you withdrew.

5. Data Sharing and Third Parties

We use the following third-party service providers to operate 4dayweek.io:

Employer data sharing:When you submit a job application through our platform, your application data (including name, email, LinkedIn URL, resume, cover letter, and responses to qualifier questions) is shared with the employer for that specific role. Once the employer receives your application, they become an independent data controller for that data, and their own privacy policy will govern their use of it. We recommend reviewing the employer's privacy policy before applying.

Data storage location:Our primary infrastructure is hosted on DigitalOcean servers located in the United States (New York region). Uploaded files (resumes, company logos) are stored on DigitalOcean Spaces in the same region. All traffic to our service is routed through Cloudflare's global network.

International transfers: As several of our service providers are based in the United States, personal data is transferred outside the United Kingdom. These transfers are safeguarded by the UK International Data Transfer Agreement (UK IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs), as appropriate. We have conducted Transfer Risk Assessments for each transfer to ensure that your data receives an adequate level of protection in the destination country.

Third-party links: Our website may contain links to third-party websites, including employer career pages and external job application URLs. We are not responsible for the privacy practices of these external sites. We encourage you to read their privacy policies before providing any personal data.

Other circumstances where we may disclose data:

• To employers: Application data as described above, only when you choose to apply for a role
• Legal requirements: Where we are compelled to do so by law, regulation, court order, or governmental authority
• Business transfers:In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the successor entity. We will provide at least 30 days' advance notice via email or a prominent notice on our website before any such transfer
• Anonymised statistics: We may share aggregate, anonymised statistics (such as total job counts or application volumes) that cannot be used to identify any individual

6. Cookies and Similar Technologies

We use a minimal number of cookies, all of which are strictly essential or functional. We do not use any third-party tracking cookies, advertising cookies, or analytics cookies.

Because all of our cookies are strictly essential or functional (required for the service to operate correctly), we are not required to obtain cookie consent under the Privacy and Electronic Communications Regulations 2003 (PECR). Accordingly, no cookie consent banner is displayed.

No third-party tracking: We do not use Google Analytics, Facebook Pixel, advertising cookies, or any other third-party tracking technologies. Your browsing activity on 4dayweek.io is not tracked by external companies.

Do-Not-Track signals: We respect Do-Not-Track (DNT) browser signals. However, since we do not engage in any third-party tracking, the practical effect is the same regardless of your DNT setting.

Email tracking: Emails sent through our newsletter provider (Brevo) may contain tracking pixels that record whether an email has been opened. This data is used solely to measure newsletter engagement and improve our content. You can disable image loading in your email client to prevent this tracking.

7. Data Retention

We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by law. The following table sets out our retention periods:

8. Your Rights (UK GDPR)

Under the UK General Data Protection Regulation, you have the following rights in relation to your personal data. These rights are not absolute and may be subject to certain exceptions and limitations set out in the legislation.

• Right of access (Article 15): You have the right to request a copy of the personal data we hold about you, along with information about how it is processed.
• Right to rectification (Article 16): You have the right to request correction of inaccurate personal data, or completion of incomplete data.
• Right to erasure (Article 17): You have the right to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for its original purpose or you withdraw consent. Exception: if you have purchased paid products from us, we must retain financial records (invoices, purchases, subscriptions, refunds) for 6 years after the end of the tax year to comply with UK HMRC rules. In that case, we anonymise the personally-identifying fields (email, name) attached to those financial records while preserving the records themselves against an anonymised user identifier. Stripe retains its own billing records independently under its own retention policy; we can request deletion on your behalf by contacting Stripe support, subject to their legal obligations.
• Right to restrict processing (Article 18): You have the right to request that we limit the processing of your data in certain circumstances, such as while a rectification request is being verified.
• Right to data portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
• Right to object (Article 21): You have the right to object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
• Right to withdraw consent: Where we rely on your consent (e.g. newsletter), you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Account deletion: You can permanently delete your account and all associated data through the account settings in your dashboard. This is a hard delete - your personal data, profile information, and resume files will be permanently removed from our systems. Please note that applications previously submitted to employers may have already been shared and cannot be recalled.

How to exercise your rights:

• Self-service: Edit your profile, manage preferences, and delete your account through the dashboard
• Email: Send a request to [email protected] for any rights request. We will verify your identity and respond within 30 days. If a request is particularly complex, we will inform you of any extension (up to a further 60 days) within the initial 30-day period.

Right to complain:If you are dissatisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:

• Online: ico.org.uk/make-a-complaint
• Telephone: 0303 123 1113

9. Job Information Disclaimer

Many of the job listings displayed on 4dayweek.io are sourced from company career pages, applicant tracking systems, and other third-party sources through automated processes. While we make every effort to ensure the accuracy and timeliness of the information presented, we cannot guarantee that all details are complete, accurate, or reflect real-time changes made by the employer.

Job data is updated regularly through our processing pipeline. AI enrichment is used to improve the accuracy of structured data such as job categories, skill requirements, schedule types, and salary information. While this process significantly improves data quality, no guarantee of completeness or accuracy is made.

We strongly recommend that you verify all job details, including schedule type, compensation, location, and benefits, directly with the employer before making any decisions based on the information displayed on our platform.

10. Children's Privacy

4dayweek.io is a professional job board intended for individuals aged 16 and over. We do not knowingly collect, process, or store personal data from anyone under the age of 16. If we become aware that we have collected personal data from a person under 16, we will take immediate steps to delete that data from our systems.

If you are a parent or guardian and believe that a child under 16 has provided personal data to us, please contact us at [email protected] so that we can take appropriate action.

11. Data Security

We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Password security: All passwords are hashed using bcrypt with a cost factor of 12. We never store plaintext passwords.
• Session tokens: Cryptographically random session tokens are generated for each authenticated session.
• IP address hashing: IP addresses are irreversibly hashed using SHA-256 with a cryptographic salt before storage.
• Cookie security: Session cookies are set with HttpOnly (preventing JavaScript access) and Secure (HTTPS-only) flags, with SameSite=Lax to prevent cross-site request forgery.
• Encryption in transit: All traffic to and from 4dayweek.io is encrypted using HTTPS, enforced through Cloudflare.
• Rate limiting: API endpoints are rate-limited to prevent brute-force attacks and abuse.
• Request size limits: Upload and request body size limits are enforced to prevent resource exhaustion attacks.
• Payment security: All payment processing is handled by Stripe, which is certified to PCI DSS Level 1 (the highest level of payment security certification). We never store credit card numbers or full payment details on our servers.
• Backups: Automated database backups are performed regularly to ensure data can be recovered in the event of a failure.
• Access control: Access to production systems, databases, and infrastructure is restricted to the sole operator of Sellframe Ltd.

While we implement these measures to protect your data, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security, but we are committed to maintaining and improving our security practices.

12. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will update the "Last updated" date at the top of this page.

For material changes that significantly affect how we collect, use, or share your personal data, we will provide prominent notice by either:

• Sending an email notification to the address associated with your account, or
• Displaying a prominent notice on our website prior to the changes taking effect.

We encourage you to review this policy periodically. Your continued use of 4dayweek.io after any changes constitutes your acceptance of the updated policy.

13. Contact Us

If you have any questions, concerns, or requests regarding this privacy policy or our handling of your personal data, please contact us using the details below.

Please also see our Terms of Service for the terms governing your use of 4dayweek.io.