AstralaNexus Privacy Policy

Effective Date: 10.04.2025
Last Updated: 10.04.2025

Who We Are

Brownlee Cale Ltd (trading as Astrala Nexus (UK)) is a company registered in England and Wales that operates the Astrala Nexus online recruitment platform.  This platform facilitates connections between individuals seeking employment (job seekers or "Candidates") and organizations or persons seeking to hire (employers or "Employers").  For the purposes of data protection law, Brownlee Cale Ltd is the “data controller” of personal data processed via the Astrala Nexus platform.  We are committed to protecting and respecting your privacy in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.  This Privacy Policy explains what personal data we collect, how we use and share it, the legal bases for our processing, and your rights in relation to your data.

What Personal Data We Collect

We collect and process various types of personal information from job seekers and employer representatives in the course of providing our Software-as-a-Service (SaaS) recruitment platform. This includes:

  • Identity and Contact Data: Name, email address, telephone number, postal address, and other contact details provided when creating an account or profile. If you represent an employer, this may include your job title, company name, and business contact information.
  • Profile and CV Data: Information that job seekers choose to include in their profile or curriculum vitae (CV)/resume, such as employment history, education, skills, qualifications, certifications, job preferences, and any references or referees’ details. This also includes any files you upload (e.g. CV documents) and content of communications or messages sent through the platform.
  • Psychometric and Assessment Data: Results of any psychometric tests, personality profiles, technical assessments, or similar evaluations that job seekers complete on the platform as part of the recruitment process. This data helps to provide insights into candidates’ skills or traits and is treated as sensitive personal data[5].
  • Identity Verification Data: Copies of identification documents (such as passports, driving licences, visas, or other proof of identity/right-to-work documents) that may be collected to verify a candidate’s identity or work eligibility. These documents may contain personal identifiers (e.g. photo, date of birth, nationality) and are handled with care due to their sensitive nature.  
  • Diversity and Sensitive Data: If you choose to provide it, we may collect special category data for diversity and inclusion purposes – for example, information about your ethnicity, race, gender, disability status, or other demographic data, as well as any health information you volunteer (such as need for reasonable adjustments). Providing this information is entirely optional and it will typically be used only in an anonymized or aggregated way to monitor equal opportunities or to make accommodations for disabilities. We will only process such sensitive data with your explicit consent or where otherwise permitted by law (for instance, for compliance with equality legislation).
  • Usage and Technical Data: When you interact with our platform, we collect analytics and technical data automatically. This includes your IP address, device type, browser type, time zone and location, and browsing actions on the platform (e.g. pages viewed, features used, clickstream data). We use cookies and similar tracking technologies to collect some of this data for improving user experience and functionality. Please see our Cookies Policy for more details on how we use cookies and tracking tools.
  • Communication Data: Copies of communications you send through the platform, such as messages between candidates and employers or communications with our support team. These may include email correspondence or in-platform messaging. Such communications are private between the parties involved; we do not monitor them routinely, and we only access them under specific circumstances (for example, if needed to investigate abuse or as required by law, as outlined in our terms).  
  • Payment and Transaction Data: If you are an Employer purchasing services (e.g. a subscription or job posting package), we collect billing details such as your name, company name, billing address, and payment transaction details. Note: We do not collect or store full payment card numbers or bank account details on our systems. Payments are handled via a secure third-party payment processor (for example, Stripe), which processes your payment information on our behalf. The payment processor will receive your payment card details directly, and we receive confirmation of payment and basic information (like payment amount and date). We ensure any such processor protects your data, and we only store necessary payment transaction records (e.g. invoice details) for accounting purposes.

Job Seeker Profile Privacy: All job seeker profiles on Astrala Nexus are private by default. This means that your profile information and CV are not visible to any employer or other user unless you choose to share them. You may choose to share your profile when you actively apply to a job or explicitly allow a particular employer to view your details. Unless you take such action, employers cannot access your profile. We will never make a candidate’s personal profile or CV publicly available without consent. (Employers can only see information you send to them in an application or otherwise deliberately share.)

How We Use Personal Data

We use the personal data we collect for the following purposes, in accordance with data protection law:

  • Providing and Operating our Services: We use your information to create and manage your account, and to deliver the core recruitment platform functionality. For job seekers, this means enabling you to build a profile, upload your CV, search and apply for jobs, and communicate with employers. For employers, this means allowing you to post job vacancies, search or view candidates (with their consent), and manage recruitment processes. We process personal data to facilitate the connection and communication between candidates and employers as requested by our users.  
  • Facilitating Job Matching and Recruitment Processes: We may use candidate profile information, including CV details and assessment results, to match job seekers with suitable job opportunities and to provide search results or recommendations to employers. For example, our platform might suggest candidates for a job opening or suggest job listings to candidates based on their profile and preferences. Any such matching or recommendations may involve profiling techniques, but no hiring decisions are made solely by automated means – final decisions remain with the human employers. This processing is done to improve the efficiency of the recruitment process for both candidates and employers.
  • Communication and Notifications: We use contact information (like email addresses) to send service-related communications. These include confirming your account registration, sending verification emails, notifying you of relevant platform updates or changes (e.g. updates to terms or privacy policy), and sending alerts you configure (such as job application status updates or new job postings that match your preferences). We may also respond to your inquiries, support tickets, or requests for assistance using your communication data.
  • Marketing (with Consent): We may send email newsletters or promotional communications about new platform features, events, or resources that we believe could be of interest to you, only if you have opted in to receive such marketing. You can choose not to receive marketing communications (or withdraw consent later) and this will not affect your use of the platform. Every marketing email will include an “unsubscribe” link allowing you to opt out easily. We will not spam you or send marketing without your consent, and we do not share your contact details with third parties for their own direct marketing.
  • Payments and Subscription Management: For employer users, we process personal data as needed to handle payments, subscriptions, and billing. For example, we use your provided billing information and the details from our payment processor to invoice you, process subscription fees, and manage renewals or cancellations. We keep records of transactions and invoices as required for accounting and legal compliance (e.g. tax regulations).
  • Analytics and Service Improvement: We analyse usage data and feedback to understand how our platform is used and to improve our services. This includes tracking feature usage, identifying usability issues, and gathering aggregate statistics on user interactions. These insights help us optimize the user experience, fix bugs, and develop new features or services. Wherever possible, we use aggregated or anonymized data for analytics to avoid identifying individuals.
  • Security and Fraud Prevention: We process personal data to maintain the security of our platform, our users, and their data. This includes using certain data (like account and device information, and usage patterns) to detect and prevent fraudulent activity, spam, unauthorized access, attacks, or other malicious activities. We also may use identity verification data to confirm user identities where appropriate (for example, to prevent impersonation or ensure only genuine candidates and employers use the platform). If we become aware of any data breach or security incident affecting personal data, we will notify affected individuals and appropriate authorities as required by law.  
  • Legal Compliance and Protection: We may use personal data to comply with our legal obligations and regulatory requirements. For example, we may retain certain transaction records for financial reporting, or use data to respond to lawful requests by public authorities, or to establish, exercise or defend legal claims. Additionally, we use and may disclose data as necessary to enforce our Terms of Business or to investigate and prevent violations of law or our terms – for instance, misuse of the platform, intellectual property infringements, or other misconduct. In limited circumstances, we might access user communications on the platform if needed to comply with legal obligations or to address reports of abuse (as noted above).

We will only use your personal data for the purposes for which we collected it, and for other related purposes that are compatible with the original reason for collection. If we need to use your data for an unrelated purpose, we will notify you and explain the legal basis for that new use. Brownlee Cale Ltd does not sell your personal data to third parties. All processing of personal data is done in line with UK GDPR principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality.  

Legal Bases for Processing

Under the UK GDPR, we must have a valid legal basis to process your personal data. Depending on the context, one or more of the following bases apply to our processing activities:

  • Performance of a Contract: Most of our processing is necessary to perform the contract between you and us, i.e. to provide you with the Astrala Nexus platform services that you request. When you register an account and agree to our terms, a contractual relationship is formed. We need to process your personal data to fulfill our obligations under that contract – for example, to maintain your account, enable you to apply for jobs (if you are a candidate) or to post jobs and find candidates (if you are an employer), and generally to provide and support the services you use. This also covers processing necessary to take steps at your request prior to entering into a contract – for instance, processing a candidate’s data during job applications can be seen as steps needed before potentially entering an employment contract.  
  • Legitimate Interests: We process certain data as necessary for our (and others’) legitimate interests, provided those interests are not overridden by your data protection rights. Our legitimate interests include: ensuring our recruitment platform operates effectively; helping employers find suitable candidates and job seekers find employment opportunities; improving and securing our services; and communicating with our users. For example, it may be in our legitimate interests to use your data to personalize job match recommendations, to prevent fraud, or to conduct analytics on service usage.  When we rely on this basis, we have weighed our interests against your rights and freedoms to ensure no undue impact on your privacy. You have the right to object to processing based on legitimate interests (see “Your Rights” below).
  • Consent: We will ask for your consent in certain situations where we process your data for a specific purpose that is not covered by another legal basis. In particular, we rely on consent to process special categories of personal data (for example, if you provide optional diversity information such as ethnicity or disability status, we will ask for your explicit consent to use that data for monitoring equal opportunities). We also obtain your consent to send you marketing emails or newsletters. Where we rely on consent, you have the right to withdraw your consent at any time (with effect for the future) – for example, you can opt out of marketing communications at any time, and you can choose not to provide or to remove any diversity information from your profile. Withdrawing consent will not affect the lawfulness of any processing already carried out.
  • Legal Obligation: Some processing is necessary for us to comply with our legal obligations. For instance, we may need to retain certain financial transaction records to satisfy tax and accounting laws, or to disclose information if required by court order or law enforcement requests. Likewise, we may process data to comply with employment laws (for example, assisting employers in verifying a candidate’s right to work, or handling requests related to data protection rights). When we process special category data under this basis, it will typically be under specific provisions of the Data Protection Act 2018 (such as substantial public interest conditions, e.g. for diversity monitoring or prevention of unlawful acts).
  • Vital Interests/Public Task: In nearly all cases, the above bases will cover our processing. It is unlikely, but if ever we needed to process personal data to protect someone’s vital interests (e.g. in a life-threatening situation) or for a task in the public interest, we would do so in accordance with the law. (These bases are mentioned for completeness but generally will not apply to the day-to-day operation of a recruitment platform.)

If you have any questions about the specific legal basis for any particular processing of your data, feel free to contact us (see “Contact Us” section below) and we will provide additional explanation.

Sharing of Personal Data

We treat your personal data with care and confidentiality. However, in order to operate our platform and provide our services, we do need to share personal data with certain trusted third parties and other users as outlined below:

  • Sharing with Employers (for Candidates): If you are a job seeker and you choose to apply for a job or share your profile with an Employer through our platform, we will transmit the relevant personal data to that Employer (e.g. your name, contact details, CV, application answers, and any other information you include in your application). The Employer will use this information to evaluate your candidacy for the job. Please note that once an Employer has received your personal data via our platform, they become an independent data controller of that information[14]. This means the Employer is responsible for complying with data protection laws in how they handle your data (for example, they should not use it for purposes beyond recruitment unless you agree). While we contractually require Employers to use candidate data only for recruitment purposes and to protect it, we are not accountable for their actions outside our platform. Candidates should review any privacy notices provided by the Employer to understand how they will process candidate data. Similarly, if an Employer shares personal information with a Candidate (for instance, an HR contact’s email or interview details), the Candidate must also treat that information confidentially and in accordance with data protection law.  
  • Sharing with Candidates (for Employers): If you are an employer user, we may share some of your provided contact details or profile information with candidates in the context of recruitment. For example, if a candidate is selected for an interview, we might share the recruiter’s name and business contact information with the candidate to facilitate scheduling. This information is typically included in job postings or communications that candidates receive. Candidates are likewise expected to use such information only for job-related communication.
  • Service Providers (Processors): We use trusted third-party service providers to help us deliver our services and run our business. These third parties process personal data on our behalf and under our instructions (as “data processors”), or in some cases as independent controllers for specific services (such as payment processing). The types of third-party providers we engage include:
  • Hosting and Infrastructure: Cloud hosting providers and data center services that store our application and database (we ensure our hosting is within the UK).
  • Analytics and Tracking: Analytics tools that help us understand how users use the platform (for example, to count visits, analyze usage patterns, and improve functionality). These tools may use cookies or similar technologies to collect usage data (see “Usage Data” above).
  • Email and Communication Services: Providers we use to send out transactional emails (like account confirmations, notifications) and marketing emails (for those who consent). For example, we might use an email delivery service to ensure emails reach you reliably.
  • Payment Processors: As noted, we use an external payment gateway (e.g. Stripe) to handle credit/debit card payments and subscription billing securely[9]. These payment providers will process your payment details under strict obligations of confidentiality. We do not see or store your full card details on our own servers[8].
  • Analytics, Monitoring and Other Tools: We may use tools for error tracking, customer support ticketing, or user experience monitoring that might incidentally process some personal data (such as an IP address or user ID in log data) for the purpose of helping us quickly resolve issues and improve the service.

These service providers are given only the minimum personal data necessary to perform their functions, and they are contractually obliged to use the data only for our specified purposes and to protect it. We carefully vet our providers and strive to choose providers who adhere to high data protection standards. For example, we ensure that our service providers implement appropriate security measures and, where relevant, agree to UK GDPR-standard data protection terms (including Standard Contractual Clauses for any international data transfers – see next section). Typical categories of service providers include data storage/hosting services, analytics platforms, email marketing tools, and payment processors. We do not allow our service providers to use your data for their own marketing or unrelated purposes.

  • Legal Requirements and Protection: We may disclose personal data to third parties when required by law or if necessary to protect our rights, comply with a judicial proceeding, court order, or legal process. For example, if a law enforcement agency lawfully requires user data, or if we need to disclose information to regulatory authorities (such as the Information Commissioner’s Office) in the context of investigations or audits. We may also share information with our professional advisors (lawyers, accountants) if needed for legal, compliance, or audit reasons, under duties of confidentiality.
  • Business Transfers: If Brownlee Cale Ltd (Astrala Nexus) undergoes a business transaction such as a merger, acquisition by another company, or sale of all or part of its assets, personal data held by us may be transferred to the new owner or partner as part of that deal. In such cases, we will ensure that the new owner will continue to honor the commitments we have made in this Privacy Policy (unless you are notified otherwise and provided an opportunity to exercise your rights, if applicable).

Importantly, we do not sell or rent your personal information to third-party companies for their independent use. Any sharing is limited to the purposes described above. We also ensure that any third-party with whom we share data either operates under UK data protection law or, if outside the UK, provides adequate safeguards as described below.

International Data Transfers

Your personal data is stored and processed on servers located in the United Kingdom. We do not routinely transfer or store personal data outside the UK. In fact, we have chosen to use UK-based data centres and infrastructure, meaning your data stays within UK jurisdiction.  

In certain cases, some of our service providers or partners might be located outside of the United Kingdom. For example, an email or analytics service might operate from or store data in the European Economic Area (EEA) or the United States. Where this occurs, we take steps to ensure that appropriate safeguards are in place to protect your personal data in accordance with UK GDPR requirements. These safeguards may include:
- Relying on an adequacy regulation (if the data is sent to a country that the UK government has determined offers an adequate level of data protection); or
- Implementing standard contractual clauses (SCCs) or UK International Data Transfer Agreements in our contracts with the provider, to contractually ensure your data is given equivalent protection to that in the UK; or
- Ensuring the provider is certified under an approved mechanism (for example, compliance with an UK-approved certification or code of conduct, if available).

We will only transfer data outside the UK if it is permitted under data protection law and if appropriate measures are in place. You can contact us if you have questions about our international data transfer arrangements. At present, our policy is to keep personal data within the UK to the greatest extent possible. Should that change in future (for example, if we adopt a new service that processes data overseas), we will update this Privacy Policy and ensure any necessary transfer mechanisms are in place before moving your data.

Data Retention

We will retain your personal data only for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. In general, this means:

  • Account Information: If you have an account on our platform, we will keep your personal data for as long as your account is active. You have the ability to update or remove certain information in your profile at any time. If you choose to delete your account (or it has been inactive for a long period as defined in our policy), we will delete or anonymize your personal data associated with that account, except for any data we are required or permitted to retain by law or for legitimate business purposes.  For example, we may retain a record of the fact that you had an account and basic information like your email for suppression purposes (so we don’t inadvertently re-contact you) or records necessary for fraud prevention or to resolve disputes.
  • Job Applications and Candidate Data: If you are a job seeker, and you apply to a job or share your profile with an employer, that employer may retain a copy of your application data according to their own retention policies (we recommend you contact the employer or refer to their privacy policy for details on their retention). On our platform, we generally retain your application data for a limited period in case you or the employer need to reference it or in case of a dispute. Typically, if you delete your profile or specific application information, it will no longer be visible to employers via our platform. We may retain logs of the transaction (e.g. that you applied to X job on Y date) for our legitimate interests and legal obligations.
  • Employer Data and Job Posts: If you are an employer, we retain your account data and any job postings or related content for as long as your account is active. If your account is closed, we may archive certain information (e.g. invoices, transaction records) for the required retention period. We may also keep minimal business contact information of past corporate clients for our legitimate business records or to manage re-engagement unless you request deletion.
  • Communications and Support: Any communications you send to us (for example, support tickets or email inquiries) may be retained as long as necessary to address your query and for our internal training or documentation. We will not keep support correspondence longer than needed.
  • Legal and Regulatory Retention: In some cases, we have legal obligations to retain data for a certain period. For example, financial records (including payment transactions and invoices) are generally kept for at least 6 years to comply with UK tax law and audit requirements. Additionally, if we are handling a dispute or legal matter, we will retain relevant data until the issue is resolved and any appeal periods have passed.

When personal data is no longer needed for the purposes for which it was collected, or if you request deletion and we have no lawful basis to retain it, we will ensure it is securely deleted or irreversibly anonymized. For example, we may scrub personal identifiers from data and keep the anonymized information for statistical purposes (which no longer identifies you). We also regularly review our retention practices to ensure we are not holding onto data longer than necessary. If you have specific questions about our data retention periods for a particular type of data, please contact us.

Your Rights

As a data subject, you have a number of important rights under the UK GDPR and Data Protection Act regarding your personal data. These include the right to:

  • Access Your Data: You can request a copy of the personal data we hold about you, and information about how we process it, commonly known as a Subject Access Request. This allows you to confirm what information we have and ensure we are processing it lawfully.
  • Rectification: If any of your personal data is inaccurate or incomplete, you have the right to request that we correct or update it. We encourage you to keep your profile information up-to-date, and you can directly edit many details via your account settings.
  • Erasure: You can ask us to delete or remove your personal data in certain circumstances (the “right to be forgotten”). For example, if the data is no longer necessary for the purposes it was collected, or if you withdraw consent and we have no other legal basis, or if you object to processing and we have no overriding legitimate grounds to continue. Please note this right is not absolute – we may need to retain some information for legal obligations or other exempt purposes, but we will inform you if that is the case.
  • Restriction of Processing: You have the right to request that we suspend or limit the processing of your personal data in certain scenarios.  For instance, if you contest the accuracy of the data, you can request we restrict processing until the accuracy is verified; or if you have objected to processing (see below) and we are considering our legitimate grounds. During restriction, we can store the data but not use it.
  • Data Portability: For data that you have provided to us, which we process by automated means based on your consent or contract, you have the right to request a copy in a structured, commonly used, machine-readable format so you can reuse it or transfer it to another provider.  For example, you might want a copy of your profile information to port to another service. We can also (where feasible) directly transmit the data to another controller at your request.
  • Object to Processing: You have the right to object to our processing of your personal data in certain circumstances. You can object at any time to processing of your data for direct marketing purposes – if you do, we will stop using your data for marketing immediately. You can also object when we are processing data based on legitimate interests (or performing a task in public interest), and you have grounds relating to your particular situation.  We will then reconsider the balance of interests and either cease the processing or explain why we believe we have compelling legitimate grounds to continue.
  • Withdraw Consent: Where we are relying on your consent to process data (such as for optional diversity information or marketing emails), you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of processing done before the withdrawal. If you withdraw or decline consent for something, we will stop that specific processing (e.g. stop sending you newsletters, or delete the special category data you had provided), but it will not affect other processing bases.
  • Non-Discrimination: You have the right not to be subjected to decisions based solely on automated processing (including profiling) that have legal or similarly significant effects on you. Astrala Nexus does not engage in solely automated decision-making that would negatively affect your rights; however, if we ever introduce automated decision processes, we will inform you and ensure your rights (such as human review) are protected.
  • Complaint to Regulator: If you believe your data protection rights have been violated or you are dissatisfied with our handling of your personal data, you have the right to lodge a complaint with the UK supervisory authority, which is the Information Commissioner’s Office (ICO).  You can find more information on the ICO’s website (www.ico.org.uk) about how to report concerns. We would, however, appreciate the chance to address your concerns before you approach the ICO, so please consider contacting us first to resolve any issue.

These rights may be subject to certain legal conditions and exemptions. If you exercise any of these rights, we will respond within one month or inform you if an extension is needed (for complex requests). We will not usually charge a fee for handling a request, unless it is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request. To protect your privacy, we may need to verify your identity before fulfilling certain requests (for example, by asking you to confirm some account details).

To exercise your rights, you can contact us using the details in the “Contact Us” section below. We will do our best to accommodate your request and provide you with a satisfactory response.

Data Security

We take the security of your personal data very seriously. Astrala Nexus implements appropriate technical and organisational measures to safeguard personal data against unauthorized access, loss, destruction, or alteration.  These measures include encryption of data in transit, firewalls and network security protections, access controls to ensure only authorized staff and service providers who need to process your data have access to it, and regular monitoring of our systems for vulnerabilities or breaches. We also maintain internal policies and conduct training to ensure staff understand their data protection responsibilities.

While we strive to protect your information, please note that no website, database, or data transmission over the internet can be guaranteed to be 100% secure. However, we continuously assess and improve our security measures to meet or exceed industry standards. If we become aware of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will inform you and the relevant authorities (such as the ICO) without undue delay, as required by law.  

We also encourage you to play a role in keeping your data secure. Please choose a strong, unique password for your account and keep it confidential. Enable two-factor authentication (if available) for added security. Be cautious about phishing emails or suspicious links – Astrala Nexus will never ask you for your password via email. If you suspect any unauthorized access to your account or any security vulnerabilities, please notify us immediately.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. If we make significant changes, we will notify you by appropriate means – for example, by email notification or through a prominent notice on our platform. The “Effective Date” at the top of this policy will indicate when the latest changes were made. We encourage you to review this Policy periodically to stay informed about how we are protecting your information. Your continued use of the Astrala Nexus platform after any updates constitutes your acknowledgment of the revised Policy.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us. We are here to help and address any issues you may have about your privacy.

Data Controller: Brownlee Cale Limited (trading as Astrala Nexus (UK))
Registered Address: Royal House Office 2.08, 110 Station Parade, Harrogate, HG1 1EP, United Kingdom. (Please do not use this address for general correspondence; it is our registered office.)
Email: privacy@astralanexus.ai (Example) – You can email us for any privacy-related inquiries or to exercise your data protection rights.
Data Protection Officer (DPO): We have appointed a privacy team to oversee compliance. You may contact our Data Protection Officer at dpo@astralanexus.ai (if applicable) or through the email above.

We will respond to your questions or requests as promptly as possible. If you contact us to exercise a right, please provide enough information to verify your identity (for example, your account email) and clearly describe your request.

If you feel that we have not adequately resolved your concern, remember you have the right to contact the Information Commissioner’s Office, the UK supervisory authority for data protection issues.  However, we welcome the opportunity to address your concerns first, and we are committed to resolving any privacy issues to your satisfaction.

Thank you for trusting Astrala Nexus with your personal data. We value your privacy and will continue to work hard to protect it while providing you with a powerful and secure recruitment platform.


📧 info@astralanexus.ai

The Construction Industry's Open Hiring Ecosystem

Find Us

Office 2.08 Royal House, 110 Station Parade, Harrogate, HG1 1EP

Contact Us

Follow Us