Privacy Policy
Effective Date: 9 April 2026
1. Introduction
SWIFTSPARROW LTD trading as Pillar & Post (“we”, “us”, or “our”) is committed to protecting and respecting your privacy and personal data in compliance with the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.
This Privacy Policy explains how we collect, process, and keep your data safe. It applies to our website at www.pillarpostweb.com and the Pillar & Post platform. This Privacy Policy should be read alongside our Terms of Service and Cookie Policy.
The individuals from whom we may gather and use data include: customers (recruitment agencies and HR professionals); business contacts; third parties connected to our customers; and job candidates who submit applications through recruitment websites operated by our customers.
2. Your Data Controller
SWIFTSPARROW LTD trading as Pillar & Post is your data controller and responsible for your personal data. We are registered with the UK Information Commissioner’s Office under registration number CSN4633381.
Any enquiries about your data should be sent to us by email at [email protected] or by post to 140 Eldred Avenue, Brighton, East Sussex, BN1 5EJ.
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO) at ico.org.uk. We would appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.
3. Data We Collect
We may collect the following personal data from you:
- Profile/Identity Data: name, job title, profession
- Contact Data: email addresses, telephone numbers
- Technical Data: IP address, browser type and version, operating system (automatically collected)
- Usage Data: information about how you use our website, products, and services
- Transactional Data: records of subscription payments (held by Stripe — see Section 6)
- Customer Support Data: feedback and correspondence with our support team
- Application Data: CVs, cover notes, and contact details submitted by job candidates through recruitment websites operated by our customers. Retained for a maximum of 72 hours then permanently deleted.
We do not collect any Special Categories of Personal Data (including details about race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, health information, or genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
4. How We Collect Data
We collect data in the following ways:
- Data you give us directly, for example when you register an account, contact us, or use our services
- Data received from third parties, including job candidates who submit applications through our customers’ recruitment websites
- Data collected automatically when you visit our website, including IP address, browser information, and usage patterns via cookies
5. Legal Basis for Processing
We only process your personal data where we have a lawful basis to do so. The bases we rely on are:
- Contractual Obligations: processing necessary to provide you with the service you have signed up for
- Legal Compliance: processing required by law
- Legitimate Interests: processing necessary for our legitimate business interests, where this does not override your rights
- Consent: where you have explicitly opted in, for example to receive marketing communications
6. How We Use Your Personal Data
The table below sets out how we use your personal data and the lawful basis for each use.
| Activity | Type of data | Legal basis | Justification |
|---|---|---|---|
| Registering a customer account | Profile/Identity Data, Contact Data | Contractual Obligations | Necessary to create and manage the customer’s account and provide the service |
| Processing subscription payments | Transactional Data | Legal Compliance, Legitimate Interest | We retain records of subscription status for accounting and legal compliance. Actual payment processing is handled by Stripe as an independent data controller. |
| Delivering the platform service (hosting recruitment sites, job listings, application forwarding) | Profile/Identity Data, Contact Data, Technical Data, Usage Data | Contractual Obligations | Necessary to provide the core service the customer has contracted for |
| Processing job candidate applications on behalf of customers | Profile/Identity Data, Contact Data, Application Data (CVs) | Legitimate Interest | Processing candidate data on behalf of our customers (the data controllers) to deliver their recruitment service. Data retained for 72 hours maximum then permanently deleted. |
| Sending transactional emails (account verification, payment confirmation, payment failure alerts) | Contact Data | Contractual Obligations | Necessary to keep the customer informed about their account status |
| Providing customer support | Contact Data, Customer Support Data | Legitimate Interest | Necessary to respond to support requests and maintain service quality |
| Analytics and platform improvement | Technical Data, Usage Data | Legitimate Interest | Aggregated usage data used to improve platform performance and reliability. No individual profiling. |
| Compliance with legal obligations (e.g. retaining payment records) | Transactional Data | Legal Compliance | Stripe payment records retained as required by financial regulations |
7. Keeping Data Secure
We implement a variety of technical and organisational security measures to protect your personal data, including:
- All data encrypted in transit using TLS 1.3 via Cloudflare, and encrypted at rest on our Neon PostgreSQL database (AWS Europe West 2, London)
- Customer data isolated at the database level — each customer’s data is held in a separate PostgreSQL schema and is inaccessible to other customers
- Payment card data is never processed or stored by us — all payments are handled by Stripe, which is PCI-DSS compliant
- Candidate CVs are stored in encrypted form, accessible to platform operators only, and permanently deleted after 72 hours
- Access to production systems is restricted to authorised personnel only
If you suspect any misuse or loss or unauthorised access to your data, please contact us immediately at [email protected].
8. Data Retention
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for.
- Candidate CV files are automatically and permanently deleted after 72 hours
- Upon cancellation of a customer account, all customer data is permanently deleted after a 7-day grace period
- Stripe payment records are retained separately for legal and accounting compliance
9. Your Rights
Under UK data protection law, you have the following rights in relation to your personal data:
- Right to access — to request a copy of the personal data we hold about you
- Right to rectification — to have inaccurate or incomplete data corrected
- Right to erasure — to request that we delete your data where there is no good reason for us continuing to process it
- Right to restrict processing — to block or limit the way in which we use your data
- Right to data portability — to request that we transfer your data to you or a third party
- Right to object — to object to our use of your data, including for direct marketing
To exercise any of these rights, please contact us at [email protected]. We will not charge you for legitimate requests. You may also delete your account at any time from your dashboard, which will permanently delete all associated data after the 7-day grace period.
If you are not satisfied with how we handle your data, you may complain to the ICO at ico.org.uk.
10. International Transfers of Data
Our primary database and application hosting are located in the UK and EU — AWS Europe West 2 (London) and AWS Europe West 1 (Dublin) respectively. All primary candidate and customer data is stored within the UK.
Some of our sub-processors operate outside the UK and EEA. Where data is transferred outside the UK or EEA, we ensure it is done so under Standard Contractual Clauses. A full list of our sub-processors is available at our sub-processor page.
11. Sharing Your Data With Third Parties
We may share your personal data with sub-contractors or affiliates subject to confidentiality obligations. We may also share data if required for legal reasons or in order to enforce our terms.
In the event of a sale or transfer of our business, your data may be transferred to the acquiring entity, subject to the same protections as set out in this Privacy Policy.
This website may include links to third-party websites. We are not responsible for their privacy practices and encourage you to read their privacy policies.
12. Marketing
You will receive marketing communications from us only if you have opted in. You can opt out at any time by contacting us at [email protected].
13. Cookies
We use cookies on our website. For full details of the cookies we use and how to control them, please see our Cookie Policy.
14. Minimum Age
You must not use Pillar & Post unless you are aged 18 or older. This website is not intended for children and we do not knowingly collect data relating to children.
15. Changes to This Privacy Policy
We reserve the right to change this Privacy Policy from time to time or as required by law. Any changes will be posted on this page. This version is dated 9 April 2026. Your continued use of the platform after any changes constitutes acceptance of the updated policy.
16. General
This Privacy Policy is governed by the law of England and Wales. All disputes arising under this Privacy Policy will be subject to the exclusive jurisdiction of the English and Welsh courts.
Questions? Contact [email protected]