Privacy Policy

WorkersFromAsia ("we", "us", "our") operates the platform at workersfromasia.com. We are a B2B recruitment intermediary connecting European employers and Asian recruitment agencies for the lawful placement of skilled tradespeople. For GDPR purposes, we act as a Data Controller for employer and agency personal data, and a Data Processor for candidate personal data submitted by registered agencies. Contact: privacy@workersfromasia.com

We collect only what is necessary to provide the platform service (data minimisation principle, GDPR Article 5(1)(c)): — Employers: company name, contact name, work email address, country, optional phone number, company description, job posting details. — Agencies: agency name, registration country, contact email, ILO compliance declaration records, candidate roster data submitted via CSV. — Candidates: full name, nationality/source country, trade skill, years of experience, biometric verification status (yes/no flag only), availability status. We do not store biometric data itself. — All users: authentication data (email only — we use passwordless magic-link authentication via Supabase). No passwords are stored.

We process personal data under the following legal bases (GDPR Article 6): — Contract performance (Art. 6(1)(b)): Processing employer and agency account data to fulfil our service agreement. — Legitimate interests (Art. 6(1)(f)): Platform security, fraud prevention, and improving service quality. — Legal obligation (Art. 6(1)(c)): Retaining records of ILO compliance declarations required under applicable law. — Consent (Art. 6(1)(a)): Marketing communications (if opted in). You may withdraw consent at any time.

We share data only to the extent necessary: — Supabase Inc.: Our database and authentication provider (EU data residency available). Data Processing Agreement in place. — Vercel Inc.: Our hosting and deployment provider. Server-side rendering occurs within their infrastructure. — We do not sell personal data to third parties. — We do not share candidate data with employers beyond the information visible in the dashboard (name, trade, source country, experience, verification status). — Agencies may only access candidate profiles they have submitted.

Our platform infrastructure may involve international data transfers. Where transfers outside the EEA occur, we ensure adequate safeguards are in place — including Standard Contractual Clauses (SCCs) — in accordance with GDPR Chapter V. Our primary hosting region is EU (Frankfurt, Germany).

— Active account data: Retained for the duration of the account and 3 years after account closure (for contractual dispute purposes). — Application and pipeline data: Retained for 2 years after the last activity on an application. — ILO compliance declarations: Retained for 7 years (legal obligation). — Authentication logs: Retained for 90 days for security purposes. You may request earlier deletion under the right to erasure (see Section 8).

We use only strictly necessary cookies required for authentication and session management. We do not use advertising trackers, third-party analytics pixels, or behavioural profiling cookies. No cookie consent banner is required for the current cookie set. If we introduce analytics (e.g. privacy-first tools such as Plausible), we will update this policy and request consent where required.

As a data subject under GDPR, you have the following rights: — Right of access (Art. 15): Request a copy of the data we hold about you. — Right to rectification (Art. 16): Correct inaccurate data. — Right to erasure (Art. 17): Request deletion of your data ("right to be forgotten"). — Right to portability (Art. 20): Receive your data in a structured, machine-readable format. — Right to object (Art. 21): Object to processing based on legitimate interests. — Right to withdraw consent: Where processing is based on consent, you may withdraw at any time. To exercise any right, email: privacy@workersfromasia.com. We will respond within 30 days.

We implement appropriate technical and organisational measures to protect personal data, including: — Encryption in transit (TLS 1.2+) and at rest. — Row-level security (RLS) on all database tables. — Passwordless authentication — no stored passwords. — Access controls: Users may only access data associated with their own account. — Regular review of third-party processor agreements.

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users and flagged on the platform. The date of last update is shown below. Last updated: March 2025.