Back to jobs

Privacy Policy

Last updated: 29 May 2026  ·  Applies to gradfind-production.up.railway.app

GradFind (“we”, “us”, “our”) is a UK graduate job aggregator. We take your privacy seriously and comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data Use and Access Act 2025 (DUAA 2025).

1. Who we are

GradFind is operated as a personal project based in the United Kingdom. You can contact us at gradfind@outlook.com with any data-related queries.

2. What data we collect

When you create an account we collect and store:

  • Email address: used to identify your account and (if you opt in) to send job alerts.
  • Password (hashed): stored as a one-way bcrypt hash. We never store or see your plain-text password.
  • Sector preferences: the graduate sectors you tick at sign-up (e.g. Tech, Finance). Used to filter job alerts.
  • Location preference: an optional free-text location you provide (e.g. "London"). Used to filter job alerts.
  • Email alerts preference: whether you have opted in to email notifications.
  • Privacy acceptance timestamp: the date and time you accepted this Privacy Policy, kept for our DUAA 2025 audit trail.
  • Account creation date: the timestamp when your account was created.

We do not collect payment information, government ID, or sensitive personal data as defined by UK GDPR Article 9.

3. Cookies

We use the following cookies:

  • session (essential): a Flask session cookie that keeps you logged in. This is strictly necessary and does not require consent.
  • remember_token (essential): a long-lived login cookie set when you tick “Remember me”. Strictly necessary.
  • cookie_consent (functional): records whether you accepted or rejected optional cookies. Expires after 365 days.

We currently use no analytics or advertising cookies. If we add analytics in future, they will only be set after you explicitly accept via the cookie banner.

4. Legal basis for processing

We process your personal data under the following lawful bases (UK GDPR Article 6):

  • Contract performance (Article 6(1)(b)): your email and hashed password are necessary to provide the account service you request when you sign up.
  • Legitimate interests (Article 6(1)(f)): sector and location preferences and the account creation date are processed to personalise your job feed. Our legitimate interest is providing a relevant service; this does not override your rights.
  • Consent (Article 6(1)(a)): email job alerts are only sent if you tick the opt-in box at registration. You may withdraw consent at any time by deleting your account.

5. How we use your data

  • Authenticating you when you log in.
  • Displaying job listings relevant to your sector and location preferences.
  • Sending email alerts about new graduate roles (only if you opted in).
  • Maintaining a DUAA 2025 audit trail of your consent to this Privacy Policy.

We do not sell, rent, or share your personal data with third parties for marketing purposes.

6. Data storage and security

Your data is stored in a PostgreSQL database hosted on Railway (infrastructure provided by Railway Corp, US-based, operating under standard contractual clauses for UK data transfers). Passwords are hashed with Werkzeug’s bcrypt implementation and are never stored in plain text. Database connections use TLS encryption in transit.

7. Data retention

We retain your personal data for as long as your account is active. If you delete your account (see below), all your personal data is permanently removed from our database within 24 hours. We do not keep backups of deleted accounts beyond our standard 7-day rolling database backup window.

8. Your rights under UK GDPR and DUAA 2025

You have the following rights:

  • Right of access: you may request a copy of the personal data we hold about you.
  • Right to rectification: you may ask us to correct inaccurate data.
  • Right to erasure (“right to be forgotten”): you may delete your account at any time via the link below, which permanently removes all your data.
  • Right to restrict processing: you may ask us to pause processing your data while a complaint is investigated.
  • Right to data portability: you may request your data in a structured, machine-readable format.
  • Right to object: you may object to processing based on legitimate interests.
  • Rights related to automated decision-making: we do not carry out solely automated decision-making that produces legal or similarly significant effects.

To exercise any of these rights, email gradfind@outlook.com. We will respond within 30 days as required by UK GDPR. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO).

9. Children

GradFind is intended for users aged 18 and over. We do not knowingly collect data from children under 13. If you believe a child has registered, please contact us immediately.

10. Changes to this policy

If we make material changes to this policy we will update the “Last updated” date above and notify registered users by email where required by DUAA 2025.

11. Contact

Questions or requests: gradfind@outlook.com