Legal

Privacy Policy

Version 1.0 — Last updated: 20 February 2026

Governing Law: Saint Lucia · GDPR compliant

Summary: We collect only what we need to run the Hire platform. We share candidate data with you as an employer strictly for hiring purposes. We use Supabase and Stripe as processors. You own your company data. Candidates own their profiles. We do not sell data to anyone.

1. Who We Are

St. Lucia Studio Ltd ("we", "us", "our") operates hire.stlucia.studio (the "Hire Platform" or "Platform"). Our registered office is in Castries, Saint Lucia.

Contact our Data Protection Officer: dpo@stlucia.studio

2. What Data We Collect

2.1 Employer Account Data

When you register as an employer, we collect:

  • Company name, industry, size, and district
  • Company website, phone number, and description
  • Your name, email address, and role at the company
  • Company logo (if uploaded)
  • Subscription and billing status (plan, renewal date)

2.2 Job Posting Data

For each job listing you create, we store:

  • Job title, description, requirements, and benefits
  • Salary range (EC$), location, and work type
  • Sector, experience level, and education requirements
  • Post date, expiry date, and status (active, paused, closed)

2.3 Candidate Data You Access

When you use the Hire Platform, you may view candidate profiles sourced from the connected talent.stlucia.studio platform. This includes:

  • Candidate names, headlines, skills, and sectors
  • Work experience and education history
  • Location, availability, and desired roles
  • Optional video resumes and profile photos

You are an independent Data Controller for any candidate data you access. See our Terms of Service, Section 5 for your obligations.

2.4 Usage and Analytics Data

We collect:

  • Pages visited, actions taken, and features used
  • Browser type, operating system, and screen resolution
  • Approximate location (country/region, not precise GPS)
  • Referral source (how you found us)
  • Session timestamps and duration

This data is pseudonymised and used only for platform improvement, not for advertising.

2.5 Payment Data

Payments are processed by Stripe, Inc. We store only:

  • Stripe Customer ID (a reference token, not your card details)
  • Subscription plan, status, and renewal date
  • Invoice history (amount, date, status)

Your full card details never touch our servers. See Stripe's Privacy Policy.

3. Why We Process Your Data

Purpose Legal Basis
Creating and managing your employer account Contract performance
Processing your subscription and payments Contract performance
Displaying job listings and managing applications Contract performance
Providing access to the candidate pool Contract performance + Legitimate interests
Sending transactional emails (receipts, notifications) Contract performance + Legitimate interests
Sending optional product update emails Consent (withdrawable at any time)
Platform analytics and improvement Legitimate interests
Security monitoring and fraud prevention Legitimate interests + Legal obligation
Complying with legal requirements Legal obligation

4. How We Share Your Data

We do not sell your data. We share it only with:

4.1 Service Providers (Data Processors)

  • Supabase Inc. — database, authentication, and file storage (US East servers)
  • Stripe, Inc. — payment processing
  • Resend / SMTP provider — transactional email delivery
  • Cloudflare, Inc. — CDN, DNS, and DDoS protection

All processors are contractually bound to process data only on our instructions.

4.2 Legal Disclosures

We may disclose data to courts, regulators, or law enforcement when required by law or to protect the rights and safety of our users and the public.

4.3 Business Transfers

If we are acquired, merged, or our assets are sold, employer and candidate data may transfer as part of the transaction. We will notify you 30 days in advance and give you the opportunity to delete your account.

5. Candidate Data — Your Responsibility

When you access candidate profiles, you become an independent Data Controller for that data. You must:

  • Use candidate data only for evaluating candidates for genuine roles
  • Not share or sell candidate data to third parties
  • Delete candidate data within 12 months of last active use (unless they are hired)
  • Not use video resumes for biometric analysis or profiling on protected characteristics
  • Respond to candidate data rights requests within 30 days
  • Notify us at dpo@stlucia.studio within 48 hours of any data breach

See our Terms of Service for the full data handling obligations.

6. International Transfers

Your data is stored in the United States (Supabase US East) and may be processed by service providers in the US, EU, and other countries. Where EU/UK GDPR applies, transfers outside the EEA are governed by Standard Contractual Clauses (SCCs) or adequacy decisions. You may request a copy of applicable transfer safeguards at dpo@stlucia.studio.

7. Data Retention

  • Active account data: Retained while your account is active
  • After account cancellation: Retained for 90 days, then deleted (unless required by law)
  • Financial records: Retained for 7 years (Saint Lucia tax law)
  • Analytics data: Aggregated after 12 months; raw data deleted
  • Backup data: Deleted within 30 days of scheduled deletion

8. Your Rights

Under GDPR and the Saint Lucia Data Protection Act, you have the right to:

  • Access — Request a copy of your personal data
  • Rectification — Correct inaccurate or incomplete data
  • Erasure — Request deletion of your data ("right to be forgotten")
  • Restriction — Ask us to pause processing of your data
  • Portability — Receive your data in a machine-readable format
  • Object — Object to processing based on legitimate interests
  • Withdraw consent — For any processing based on consent (e.g. marketing emails)

To exercise any right, email dpo@stlucia.studio. We will respond within 30 days. You may also lodge a complaint with your national data protection authority.

9. Security

We implement the following security measures:

  • All data in transit is encrypted via TLS 1.2+
  • Database data encrypted at rest (AES-256, managed by Supabase)
  • Row-Level Security (RLS) policies ensure you can only access your own company data
  • Passwords are hashed using bcrypt via Supabase Auth
  • Regular security reviews and dependency updates
  • Access logs retained for 90 days

Despite these measures, no system is 100% secure. Report any suspected vulnerability to security@stlucia.studio.

10. Cookies

We use the following cookies:

  • Authentication cookie (session token, set on .stlucia.studio domain) — Required. Expires with session or after 7 days.
  • Preference cookie (sidebar state, notification settings) — Functional. Expires after 30 days.
  • Analytics cookie (pseudonymous visitor ID) — Functional. Expires after 12 months. No third-party sharing.

We do not use advertising or tracking cookies. No data is shared with advertising networks.

11. Children

The Hire Platform is intended for employers and business users only. We do not knowingly collect data from persons under 18. If you believe we have done so, contact dpo@stlucia.studio immediately.

12. Changes to This Policy

We may update this Privacy Policy when we change our practices, add new features, or as required by law. We will notify you by email at least 14 days before material changes take effect. The "Last Updated" date above indicates the current version.

13. Contact

St. Lucia Studio Ltd
Castries, Saint Lucia
Data Protection: dpo@stlucia.studio
General: info@stlucia.studio
Website: stlucia.studio
Terms of Service Back to Home