Privacy Policy
Last updated: 29 March 2026
1. Who we are
Edinburgh Festival Jobs ("we", "us", "our") operates the website www.edinburghfestivaljobs.com. We are the data controller for the personal data we collect through this site. You can contact us at [email protected].
2. What data we collect
Recruiter accounts
When you register as a recruiter, we collect: email address, password (stored securely hashed), company name, and optionally your company website. If you enable two-factor authentication, we store your authenticator key.
Job applications
When an applicant applies for a job, we collect: full name, email address, phone number (optional), cover message, and CV file (if uploaded). This data is shared with the recruiter who posted the job.
Payment data
We do not store credit card numbers or payment card details. All payment processing is handled by Stripe. We store only the Stripe session ID and payment reference for our records.
Automatically collected data
We record job listing view counts (aggregate, not per-user). We use essential cookies as detailed in our Cookie Policy. We do not use analytics, tracking pixels, or advertising cookies.
3. How we use your data
We use personal data for the following purposes and legal bases:
| Purpose | Legal basis |
|---|---|
| Account creation and authentication | Contract performance |
| Processing job listing payments | Contract performance |
| Sharing applications with recruiters | Legitimate interest (facilitating recruitment) |
| Sending transactional emails (confirmations, password resets, application notifications) | Contract performance / legitimate interest |
| Preventing fraud and securing the platform | Legitimate interest |
We do not sell your personal data. We do not use your data for profiling or automated decision-making.
4. Who we share data with
- Stripe (payment processing) — Privacy Policy
- Resend (transactional emails) — Privacy Policy
- Recruiters receive applicant data (name, email, phone, cover message, CV) for jobs they have posted
We do not share data with advertisers, data brokers, or any other third parties unless required by law.
5. Data retention
- Recruiter accounts: retained while the account is active. You can request deletion at any time.
- Job listings: retained for 12 months after expiry, then deleted.
- Applications and CVs: retained for 6 months after the listing expires, then permanently deleted.
- Payment records: retained for 6 years as required by HMRC.
6. Data security
We take appropriate technical and organisational measures to protect your data, including:
- HTTPS encryption on all pages
- Passwords stored using industry-standard hashing (ASP.NET Core Identity)
- CSRF protection on all forms
- Content Security Policy headers to prevent XSS attacks
- CVs stored outside the public web directory, accessible only to authorised recruiters
- Two-factor authentication available for recruiter accounts
7. Your rights
Under UK GDPR, you have the right to:
- Access the personal data we hold about you
- Rectification of inaccurate or incomplete data
- Erasure ("right to be forgotten") of your personal data
- Restrict processing of your data
- Data portability — receive your data in a structured, machine-readable format
- Object to processing based on legitimate interest
- Withdraw consent where processing is based on consent
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).
8. International transfers
Your data may be processed by our third-party providers (Stripe, Resend) in the United States. These transfers are protected by Standard Contractual Clauses as approved by the UK Government.
9. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users. The "last updated" date at the top of this page will be revised accordingly.