Legal
Privacy Policy
Last updated: 15 June 2026
1. Introduction
SkillShift ("we", "us", "our") is operated by Synquire Ltd, a company registered in England. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the SkillShift platform (the "Service").
We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and, where applicable, the EU General Data Protection Regulation (EU GDPR).
2. Data We Collect
Individual accounts:
- Account information: name, email address, region preference
- Profile data: current role, target roles, experience level, resume text, extracted skills
- Usage data: saved jobs, career paths, analysis history, activity logs, cover letters
- Technical data: cookies for authentication (session token only)
- IP addresses: collected for rate limiting, security, and fraud prevention
Corporate accounts:
- Account information: name, email address, company/agency name
- Organisation data: organisation name, type, membership roles
- Candidate (seeker) data: name, email, phone, current role, target roles, skills, resume text, notes
- Employer data: company name, industry, contact name, contact email, contact phone, notes
- Role data: job title, description, required/preferred skills, experience level, location, salary range
- Match data: candidate-to-role pairings, AI analysis results, match status, notes
- Shortlist data: curated candidate lists shared via unique links
University accounts:
- Account information: name, email address, university name
- Program data: degree programs, modules, learning outcomes, extracted skills
- Cohort data: student group tracking and aggregate readiness metrics
- Pipeline data: employer connections and placement tracking
Lead data:
- Email address and AI Readiness assessment responses submitted via the lead capture form
Operational logs:
- Admin audit logs: administrative actions are logged (including IP address and timestamp) for security and incident investigation purposes
- Email send logs: records of transactional emails sent via the Service
3. Lawful Basis for Processing
- Contract performance (Art. 6(1)(b) UK GDPR): Processing necessary to provide the Service you have requested
- Legitimate interests (Art. 6(1)(f) UK GDPR): Service improvement, security, and fraud prevention
- Consent (Art. 6(1)(a) UK GDPR): Where required for optional communications such as newsletters
Corporate users who upload candidate personal data (names, emails, phone numbers, resumes) act as data controllers for that data. You must ensure you have a lawful basis (such as the candidate's consent or legitimate interest) to share their information with us for processing.
Coaches who store client data (names, emails, career information) for individuals who are not SkillShift users act as independent data controllers for that client data. SkillShift acts as a data processor on behalf of the coach. Coaches are responsible for ensuring they have appropriate consent or another lawful basis before entering client personal data into the Service.
4. Data Storage & Security
Your data is stored on Cloudflare infrastructure (KV and D1). Passwords are hashed using PBKDF2 with 100,000 iterations (SHA-256). Authentication uses secure, HttpOnly cookies. We do not sell or rent your personal data to third parties.
5. Third-Party Processors
- Cloudflare (infrastructure, KV storage, D1 database, hosting) — US-based, EU-US Data Privacy Framework certified
- Anthropic (AI analysis via Claude API) — resume/CV text, job descriptions, and skill information are sent to Anthropic's servers in the United States for processing. Anthropic does not retain API data beyond the duration of the request and does not use it for model training. If you wish to request processing without AI (manual review), contact [email protected]
- Resend (transactional email) — email address used for delivery only
- Stripe (payment processing) — name, email, and payment details are processed by Stripe for subscription billing; subject to Stripe’s Privacy Policy
6. Your Rights
Under UK GDPR and, where applicable, EU GDPR, you have the right to:
- Access your personal data
- Rectify inaccurate data via your profile settings
- Erase your data — you can delete your account at any time from your profile settings, which permanently removes all associated data
- Port your data — you can download a machine-readable JSON export of all your data from your profile settings at any time
- Object to processing based on legitimate interests
- Restrict processing in certain circumstances
- Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or, for EU residents, your local supervisory authority
If you submitted your email via the AI Readiness assessment (lead capture) and do not have a SkillShift account, you may request access to or deletion of your data by contacting [email protected].
To exercise any right, email us at [email protected]. We will respond within 30 days.
7. Data Retention
We retain your data for as long as your account is active. If you delete your account, all personal data is permanently removed. We may retain anonymised, aggregated data for analytical purposes. Specific retention periods are as follows:
- User account data: retained until you delete your account
- Candidate (seeker) records uploaded by corporate or coach accounts: automatically deleted 24 months after the record was last updated. Any activity on the record (edit, re-analysis, status change) rolls this forward, so actively maintained candidates are not affected. Controllers can delete records on demand via the dashboard.
- Candidate-to-role match records: 24 months from last update
- Skill-gap analysis results for candidates: 12 months from creation (analysis records are immutable, so the TTL is not rolled forward)
- Lead data (AI Readiness assessment submissions): 90 days
- Admin audit logs: 12 months
- Email send logs: 6 months
- Stripe payment data: retained as per Stripe’s retention policy
Retention TTLs for candidate data are enforced by a scheduled purge job that runs three times per week. If you require a shorter retention period for a specific engagement, contact [email protected].
8. International Transfers
Your data may be processed outside the UK/EEA by our third-party processors. The specific transfer mechanisms for each processor are:
- Cloudflare (hosting, KV, D1): global CDN with EU data residency options, EU-US Data Privacy Framework (DPF) certified
- Anthropic (AI processing): United States, covered by Standard Contractual Clauses (SCCs)
- Resend (email delivery): United States, covered by Standard Contractual Clauses (SCCs)
- Stripe (payments): United States, EU-US Data Privacy Framework (DPF) certified
All our sub-processors include data processing terms in their standard service agreements that address their obligations under Article 28 of the UK GDPR. We review these terms to ensure they meet our data protection requirements.
9. Data Protection Impact Assessment
We have conducted a Data Protection Impact Assessment (DPIA) in accordance with Article 35 of the UK GDPR, covering our AI-based career profiling, international data transfers, and lead data collection practices. This assessment is reviewed annually and updated when our processing activities change significantly. A copy is available on request by contacting [email protected].
10. Cookies
We use essential authentication cookies (token for individual accounts, corporate_token for corporate accounts, and university_token for university accounts) required for the Service to function. All are HttpOnly, Secure, and SameSite=Lax. We do not use tracking cookies, analytics cookies, or advertising cookies.
11. Shareable Links
Corporate and university users may generate shareable shortlist links that allow external recipients (e.g. hiring managers) to view a curated list of candidates for a specific role. These links contain a unique token and do not require authentication. When a shortlist link is viewed, we record the view and may notify the shortlist creator by email. Users are responsible for sharing these links only with intended recipients.
12. Newsletter
If you subscribe to our newsletter, we store your email address for the purpose of sending periodic career insights and product updates. You can unsubscribe at any time by contacting us at [email protected]. Newsletter subscription is based on consent (Art. 6(1)(a) UK GDPR).
13. Contact
For any questions about this Privacy Policy, your data, or the Service, please contact us at:
Synquire Ltd
Company number: 14944580
Email: [email protected]
For data protection enquiries, contact [email protected].