Worker Privacy Notice

IAM-VETTED LTD (company number 17168815) (“iam-vetted”, “we”, “us”) is the data controller for personal data processed through the platform. We operate a UK workforce credentials marketplace.

We provide a platform where workers submit their own information and employers can review that information and independently verify it using official sources.

Important: We do not verify, approve, confirm, or guarantee the accuracy of any information submitted by workers.

General enquiries: hello@iam-vetted.com

Data complaints: complaints@iam-vetted.com

WhatsApp is offered as an optional contact channel for direct, person-to-person conversation. We’ve made it available because some questions are easier to resolve through a short discussion rather than a web form, for example clarifying a process, exploring whether the platform is suitable for a particular situation, or discussing a concern before deciding how to proceed. Messages are reviewed by a member of our team during working hours.

WhatsApp does not replace the standard contact channels listed above. It is not appropriate for the submission of data protection requests, complaints, or other statutory notices; those should use the documented channels so we can verify your request, log it, and meet our legal response obligations.

Please do not use WhatsApp to submit data rights requests, complaints, sensitive personal data, identity documents, credential evidence, or urgent legal notices.

Any data shared through WhatsApp is also subject to the terms and privacy practices of WhatsApp and Meta. Please avoid sharing sensitive or unnecessary personal information through this channel.

WhatsApp Business: open chat

We use your data to:

• Create and display your profile
• Allow employers to search for and unlock your profile
• Share your information with employers when your profile is unlocked
• Provide platform features (including alerts and support)
• Maintain platform integrity and detect potential data issues
• Apply validation checks, expiry calculations, and risk analysis to support data quality and platform integrity

The table below sets out the purposes for which we process your personal data and the lawful basis we rely on under UK GDPR.

• Creating and managing your account: performance of a contract (Article 6(1)(b)), necessary to provide you with access to the platform and its core features
• Displaying your profile to employers: performance of a contract (Article 6(1)(b)), the core service you have registered to use
• Automated checks, risk indicators, and profiling: legitimate interests (Article 6(1)(f)), maintaining the integrity and quality of information on the platform
• Platform security, fraud prevention, and misuse detection: legitimate interests (Article 6(1)(f)), protecting the platform and all users
• Optional phone number verification: legitimate interests (Article 6(1)(f)), improving platform security and trust
• Financial record-keeping and legal compliance: legal obligation (Article 6(1)(c)), where required by law, including accounting and tax obligations

Where we rely on legitimate interests, you have the right to object to that processing. See Section 11 for details.

We use automated systems to analyse submitted data, including identifying inconsistencies and generating risk indicators based on patterns and predefined rules. This type of processing is known as profiling.

These systems:

• Help identify potential issues
• Apply basic validation and formatting checks
• Do not make final decisions about you

If an issue is identified:

• Your profile may be temporarily limited in visibility (for example, hidden from employer search) while it is under review
• You will be notified and given the opportunity to update your information
• You can request a manual review at any time

No permanent action is taken without human review.

You have the right to request human review of any automated processing or profiling that affects your profile.

If you are on a paid plan, the platform also surfaces AI-generated content tailored to you: personalised dashboard insights summarising signals such as profile activity, expiry, demand, and completion; reminders for upcoming credential expiry; context-aware help text on the verify page; and conversational assistance via the in-app AI support chat. These features process your profile data to generate the relevant content. They do not make decisions about you or your profile.

When an employer uses our AI-assisted search, the AI processes only the employer’s natural-language query and converts it into structured filters (such as region, vehicle type, availability, and licence category). Your profile is then matched against those filters by the platform, not by the AI. The AI does not rank, score, or evaluate worker profiles, and your profile data is not sent to the AI service as part of this process. Whether your profile appears in a given employer’s search results is determined by whether your declared information matches the filters they have applied. The display order of matching profiles is set by deterministic, non-AI rules (availability, then subscription tier, then recency).

We have conducted a Data Protection Impact Assessment (DPIA) covering the credential aggregation, AI-assisted processing, and phone-number verification activities described above. The DPIA assesses risks to your rights and freedoms and documents the safeguards in place. A summary is published in our Compliance Pack.

We maintain a fraud suppression list to protect the integrity of the platform and other users. Where an account is removed following confirmed fraudulent activity, we retain a one-way hashed version of certain identifiers associated with that account (for example, email address or phone number). We do not store the original identifiers in this list.

We use this list to check new registrations and existing accounts against previously identified fraud signals. If a match is identified, the account is flagged for manual review. No automated decisions are made based solely on this process, and accounts are not automatically blocked or denied access.

Our lawful basis for this processing is our legitimate interests in preventing fraud and maintaining the security and reliability of the platform. We have carried out a Legitimate Interests Assessment to ensure this processing is necessary and proportionate.

Hashed identifiers are retained for up to 24 months from the most recent confirmed fraud event or match, after which they are securely deleted.

Some of our service providers are based outside the UK. Where this happens, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs)
• UK International Data Transfer Addendum

We assess international transfers in line with UK data protection requirements to ensure that personal data remains protected.

We use appropriate safeguards for international transfers, including the UK extension to the EU-US Data Privacy Framework where applicable, and/or the International Data Transfer Agreement.

We also minimise the data shared. For example, we do not send full verification reference values to AI providers for automated checks.

• Active accounts: while your account remains active
• Verification references: while active on your profile and until they expire, are replaced, or your account is deleted
• Data integrity and fraud-related records: while your account remains active
• Audit logs: up to 6 years, to support accountability and legal compliance
• Financial and payment records: up to 6 years, as required by HMRC and applicable accounting law
• Database backups: up to 30 days from creation, after which they are automatically deleted

If you request account deletion:

• Your account and profile data will be deleted within 30 days, subject to legal retention requirements

However:

We may retain certain transaction and payment records (for example, subscription payments) for longer where required by law, including for accounting and tax purposes (typically up to 6 years). We may also retain anonymised data for statistical purposes.

You can raise a complaint about our handling of your personal data, including our use of cookies and tracking technologies, via our Complaints procedure. We acknowledge complaints within 30 days.

Under UK GDPR, you have the following rights:

• Right to be informed: you have the right to be told how your personal data is used. This privacy notice fulfils that obligation.
• Right of access: you can request a copy of the personal data we hold about you (a Subject Access Request). We will respond within one month.
• Right to rectification: you can ask us to correct inaccurate or incomplete personal data.
• Right to erasure: you can request deletion of your personal data where there is no overriding legal reason for us to keep it. Requests can be made via account settings or by contacting us directly.
• Right to restrict processing: you can ask us to pause processing of your data in certain circumstances, for example while a correction is verified.
• Right to data portability: you can request a copy of your personal data in a structured, commonly used, machine-readable format and have it transferred to another service where technically feasible.
• Right to object: you can object to processing based on legitimate interests, including profiling. We will stop unless we can demonstrate compelling legitimate grounds.
• Rights related to automated decision-making: you have the right to request human review of any automated processing or profiling that has a significant effect on you.

Note: rectification of identity fields (legal name and year of birth) for active profiles requires us to verify updated official records. Please contact hello@iam-vetted.com rather than using your dashboard settings for these changes.

To exercise any of these rights, contact complaints@iam-vetted.com. We will respond within one month. Complex or multiple requests may take up to three months; we will notify you if this applies.

If you are unhappy with how your data is used, you can contact: complaints@iam-vetted.com

We will acknowledge your complaint within 30 days and aim to resolve it as soon as possible.

If you are not satisfied with our response, you have the right to escalate your complaint to the Information Commissioner’s Office (ICO):

• Website: ico.org.uk/concerns
• Telephone: 0303 123 1113
• Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

iam-vetted does not use social media channels as a primary complaints channel. If you raise a concern via our social media accounts, it will be redirected to complaints@iam-vetted.com for formal handling.

We may update this Privacy Notice from time to time. The latest version will always be available on our website.