Employer Privacy Notice

IAM-VETTED LTD (company number 17168815) (“iam-vetted”, “we”, “us”) is the data controller for personal data processed through the platform. We operate a UK workforce credentials marketplace.

We provide a platform where employers can search for workers and access worker-provided information to assess suitability for work.

Important: iam-vetted does not verify, approve, confirm, or guarantee the accuracy of any worker-provided information.

General enquiries: hello@iam-vetted.com

Data complaints: complaints@iam-vetted.com

WhatsApp is offered as an optional contact channel for direct, person-to-person conversation. We’ve made it available because some questions are easier to resolve through a short discussion rather than a web form, for example clarifying a process, exploring whether the platform is suitable for a particular situation, or discussing a concern before deciding how to proceed. Messages are reviewed by a member of our team during working hours.

WhatsApp does not replace the standard contact channels listed above. It is not appropriate for the submission of data protection requests, complaints, or other statutory notices; those should use the documented channels so we can verify your request, log it, and meet our legal response obligations.

Please do not use WhatsApp to submit data rights requests, complaints, sensitive personal data, identity documents, credential evidence, or urgent legal notices.

Any data shared through WhatsApp is also subject to the terms and privacy practices of WhatsApp and Meta. Please avoid sharing sensitive or unnecessary personal information through this channel.

WhatsApp Business: open chat

We use your data to:

• Create and manage your account
• Process payments and manage credits
• Provide access to worker profiles
• Maintain platform security and prevent misuse
• Provide support and respond to enquiries
• Improve platform functionality
• Monitor platform usage and detect suspicious or abusive activity

The table below sets out the purposes for which we process your personal data and the lawful basis we rely on under UK GDPR.

• Creating and managing your account: performance of a contract (Article 6(1)(b)), necessary to provide you with access to the platform and its core features
• Processing payments and managing credits: performance of a contract (Article 6(1)(b)), necessary to provide the paid services you have purchased
• Monitoring platform usage and detecting misuse: legitimate interests (Article 6(1)(f)), protecting the platform and all users
• Optional phone number verification: legitimate interests (Article 6(1)(f)), improving platform security and trust
• Financial record-keeping and legal compliance: legal obligation (Article 6(1)(c)), where required by law, including accounting and tax obligations

Where we rely on legitimate interests, you have the right to object to that processing. See Section 12 for details.

When you unlock a worker profile, you access worker-provided information.

You acknowledge that:

• iam-vetted does not verify this information
• You must independently verify it using official sources
• You are responsible for how you use and handle this data

You agree that:

• You will use worker data only to assess suitability for work
• You will not use this data for marketing, resale, or database building
• You will not share this data with third parties except where necessary for legitimate hiring purposes

You act as an independent controller of any worker data you access.

When you use our AI-assisted search feature, the AI processes only the text of your natural-language query and converts it into structured search filters (such as region, vehicle type, van size, availability, licence category, insurance type, and carrier experience). The platform then returns worker profiles that match those filters. This system:

• Processes the text of your search query only. Worker profile data is not sent to the AI service
• Returns worker profiles that match the filters extracted from your query
• Does not rank, score, or evaluate workers. It does not make decisions about individual workers

The order in which matching profiles are displayed is determined by deterministic, non-AI rules (available workers before unavailable, then by subscription tier, then by recency). It is not based on any AI assessment of workers.

AI-assisted query interpretation is performed by Anthropic. Your search query text may be processed outside the UK; UK-to-US transfers are governed by the UK Addendum to the EU Standard Contractual Clauses incorporated through Anthropic’s standard terms.

You are responsible for any hiring decisions you make based on these results.

In addition to AI-assisted search, the platform also surfaces AI-generated content while you use your account: personalised dashboard insights summarising signals such as credit balance, recent activity, and demand context; structured AI-generated summaries of worker profiles you have unlocked; and conversational assistance via the in-app AI support chat. These features process your account data and worker-submitted profile data to generate the relevant content. They do not make decisions about individual workers, and you remain responsible for verifying credentials independently before any hiring decision.

We have conducted a Data Protection Impact Assessment (DPIA) covering the credential aggregation, AI-assisted processing, and phone-number verification activities described above. The DPIA assesses risks to data subjects' rights and freedoms and documents the safeguards in place. A summary is published in our Compliance Pack.

We maintain a fraud suppression list to protect the integrity of the platform and other users. Where an account is removed following confirmed fraudulent activity, we retain a one-way hashed version of certain identifiers associated with that account (for example, email address or phone number). We do not store the original identifiers in this list.

We use this list to check new registrations and existing accounts against previously identified fraud signals. If a match is identified, the account is flagged for manual review. No automated decisions are made based solely on this process, and accounts are not automatically blocked or denied access.

Our lawful basis for this processing is our legitimate interests in preventing fraud and maintaining the security and reliability of the platform. We have carried out a Legitimate Interests Assessment to ensure this processing is necessary and proportionate.

Hashed identifiers are retained for up to 24 months from the most recent confirmed fraud event or match, after which they are securely deleted.

Some of our service providers are based outside the UK. Where this happens, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs)
• UK International Data Transfer Addendum

We assess international transfers in line with UK data protection requirements to ensure that personal data remains protected.

We use appropriate safeguards for international transfers, including the UK extension to the EU-US Data Privacy Framework where applicable, and/or the International Data Transfer Agreement.

• Account data: while your account remains active
• Credit usage and platform activity data: while necessary to operate the platform and maintain records
• Audit logs: up to 6 years, to support accountability and legal compliance
• Financial and payment records: up to 6 years, as required by HMRC and applicable accounting law
• Database backups: up to 30 days from creation, after which they are automatically deleted

If you request account deletion:

• Your account data will be deleted within 30 days, subject to legal retention requirements

However:

We may retain certain transaction and payment records for longer where required by law, including for accounting and tax purposes (typically up to 6 years). We may also retain anonymised data for statistical purposes.

You can raise a complaint about our handling of your personal data, including our use of cookies and tracking technologies, via our Complaints procedure. We acknowledge complaints within 30 days.

Under UK GDPR, you have the following rights:

• Right to be informed: you have the right to be told how your personal data is used. This privacy notice fulfils that obligation.
• Right of access: you can request a copy of the personal data we hold about you (a Subject Access Request). We will respond within one month.
• Right to rectification: you can ask us to correct inaccurate or incomplete personal data.
• Right to erasure: you can request deletion of your personal data where there is no overriding legal reason for us to keep it. Requests can be made via account settings or by contacting us directly.
• Right to restrict processing: you can ask us to pause processing of your data in certain circumstances, for example while a correction is verified.
• Right to data portability: you can request a copy of your personal data in a structured, commonly used, machine-readable format and have it transferred to another service where technically feasible.
• Right to object: you can object to processing based on legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds.
• Rights related to automated decision-making: you have the right to request human review of any automated processing that has a significant effect on you.

To exercise any of these rights, contact complaints@iam-vetted.com. We will respond within one month. Complex or multiple requests may take up to three months; we will notify you if this applies.

If you are unhappy with how your data is used, you can contact: complaints@iam-vetted.com

We will acknowledge your complaint within 30 days and aim to resolve it as soon as possible.

If you are not satisfied with our response, you have the right to escalate your complaint to the Information Commissioner’s Office (ICO):

• Website: ico.org.uk/concerns
• Telephone: 0303 123 1113
• Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

iam-vetted does not use social media channels as a primary complaints channel. If you raise a concern via our social media accounts, it will be redirected to complaints@iam-vetted.com for formal handling.

We may update this Privacy Notice from time to time. The latest version will always be available on our website.