Effective date: 24/04/2026
UK GDPR · Data Protection Act 2018 · Privacy and Electronic Communications Regulations (PECR)
This Privacy Policy explains how Hurdle collects, uses, stores, and protects your personal data when you use our mobile application and platform (together, the "Platform"). It also explains your rights under UK data protection law and how to exercise them.
Please read this policy carefully. By creating an account and using the Platform you confirm that you have read and understood it.
1. Who We Are
Hurdle is the data controller responsible for your personal data. This means we determine how and why your data is processed.
Business name | Hurdle World LIMITED |
Legal structure | Private Limited Company |
Business address | The Smithy, Old Lane, Pulford, Chester, Cheshire |
Contact email | info@hurdlecommunity.co.uk |
Data protection lead | Nathaniel McAllister (Founder) |
ICO registration number | 08/04/2026 |
If you have any questions about this policy or how we handle your data, please contact us at info@hurdlecommunity.co.uk.
2. What Personal Data We Collect and Why
We collect personal data in the following ways and for the following purposes. We only collect data that is necessary for each specific purpose.
2.1 When you create an account
We collect your first name, last name, and email address to create and authenticate your account and to send you transactional emails such as welcome messages and password resets.
2.2 During onboarding
When you first join the Platform, we ask you a small number of questions to help personalise your experience and connect you with the right people and content. These are:
• Where are you in your journey right now - for example recently made redundant, job searching, student, career change, or graduate.
• What is your main focus right now - for example getting a job, gaining clarity, improving your CV, interview practice, building confidence, or networking.
• What has been hardest lately - for example rejection, motivation, confidence, feeling isolated, or interview anxiety. You can select up to two options.
• What kind of support would help most - for example weekly check-ins, a small peer group, a one-to-one buddy, resources and templates, or meet-ups.
Your answers are visible to other platform users for the purpose of community connection. They are stored for the duration of your account, and you can update them at any time.
2.3 When you build your profile
You provide the following when creating your profile:
• Profile photo - displayed to other users to help you present yourself as a real person within the community.
• Full name - pulled from your account sign-in and displayed to other users for networking purposes.
• Gender - you may select Male, Female, Non-binary, or Prefer not to say – this is optional at sign in. Displayed on your profile and used for internal analytics only. It is not used in any matching or recommendation logic.
• Bio - a free-text field of up to 200 characters describing what you are working towards. Displayed to other users.
• Industry - select up to three industries from a predefined list. Displayed to other users and used to connect you with people in relevant fields.
• LinkedIn URL or email address - optional. Allows other users to contact you directly outside the Platform.
• You choose whether to provide this.
2.4 When you use the task bank
The Platform includes a structured task bank to help you track your daily career progress. We record which tasks you complete, when, and which categories they fall into - for example Applications, Networking, CV, Interview Preparation, or Wellness. This data is visible only to you and powers your progress tracking and calendar reflection tools.
2.5 When you post in the community
The community feed lets you share posts, ask questions, and support other members. You may post text, images, or documents such as CVs, portfolios, and cover letters. You choose what you share. Content you post is visible to all platform users. You can delete your posts at any time.
2.6 When you register for events
If you register for a Hurdle event through the Platform we collect your RSVP and attendance data - including the event name, date, and your attendance status - so we can send you event updates. We use your email address to send these updates via our email delivery service.
2.7 Technical and usage data
We collect technical data about how you use the Platform in aggregate - which features are used and general usage patterns - to improve the product. We use Google Analytics for this purpose, which requires your consent before it is activated. See Section 7 for more information.
We also collect system-level security logs including authentication events, access timestamps, and error signals. These are used solely to detect and respond to security incidents. See Section 3 for the lawful basis.
2.8 What we do not collect
We do not collect payment card or bank details directly. We do not collect special category data such as health, racial or ethnic origin, religious beliefs, or political opinions as part of our standard service. We do not knowingly collect data from or provide services to anyone under the age of 18.
3. Our Lawful Basis for Processing
UK GDPR requires us to have a lawful basis for every type of personal data we process. The table below sets out the lawful basis we rely on for each processing activity.
Processing activity | Lawful basis | Details |
Account creation - name and email | Contract - Article 6(1)(b) | Necessary to provide the service you have signed up for. |
Onboarding questions | Consent - Article 6(1)(a) | You choose your answers and consent to them being used for personalisation and community connection. |
Profile data - photo, bio, industry, LinkedIn | Consent - Article 6(1)(a) | You choose what to include and consent to it being visible to other users. |
Gender | Consent - Article 6(1)(a) | You choose whether to provide this. Used for analytics only, not matching. |
Task bank and progress data | Contract - Article 6(1)(b) | Necessary to deliver the core task and progress tracking service. |
Community posts | Consent - Article 6(1)(a) | You choose what you post and consent to it being visible to other users. |
Event RSVP and attendance | Consent - Article 6(1)(a) | You choose to register and consent to receiving event communications. |
Security monitoring and logs | Legitimate interests - Article 6(1)(f) | We have a legitimate interest in protecting the Platform and all users' data. A Legitimate Interests Assessment has been completed. |
Aggregated product analytics | Legitimate interests - Article 6(1)(f) | We have a legitimate interest in improving the Platform using anonymised usage data. An LIA has been completed. You can object at any time. |
Google Analytics | Consent - Article 6(1)(a) | Activated only after you give consent via the in-app prompt. You can withdraw consent at any time from app settings. |
4. How Long We Keep Your Data
We keep your personal data only for as long as necessary for the purposes described in this policy or as required by law.
Data category | Retention period |
Account data - name and email | Duration of active account. Deleted within 30 days of account deletion. |
Onboarding answers | Duration of active account. Deleted within 30 days of account deletion. |
Profile data - photo, bio, industry, gender, LinkedIn | Duration of active account. Deleted within 30 days of account deletion. Profile photos deleted from file storage within 30 days. |
Task completion and progress data | Duration of active account. Deleted within 30 days of account deletion. Anonymised aggregate data may be retained up to 24 months for product improvement. |
Community posts | Until you delete the post, or within 30 days of account deletion. |
Event RSVP data | Duration of active account. Deleted within 30 days of account deletion. |
Security and access logs | Maximum 90 days from the date the log is created, then deleted. |
Push notification tokens | Deleted on logout. Deleted within 30 days of account deletion. |
Google Analytics data | Maximum 14 months as configured in our Google Analytics settings. |
5. Who We Share Your Data With
5.1 Other platform users
Parts of your profile and activity are visible to other Hurdle users as part of the community and networking features. This includes your name, profile photo, bio, industry, journey stage, current focus, biggest hurdle, and any content you post in the community feed. Your LinkedIn URL or email is only visible if you choose to provide it. Your preferred support style is used for internal purposes only and is not displayed publicly.
5.2 Third-party processors
We use the following third-party services to operate the Platform. Each processes personal data on our behalf under a Data Processing Agreement and in accordance with UK GDPR.
Service | Purpose | Data received | Location |
Railway | Backend hosting and database | All data stored in the database | EU West, Amsterdam, Netherlands |
Cloudflare R2 | File storage for photos and attachments | Profile photos and uploaded files | WEUR (Western Europe) |
Firebase Cloud | Push notification delivery | Device push notification tokens | europe-west |
Resend | Transactional email delivery | Email address | Ireland (eu-west-1) |
Google Analytics | Product analytics - consent required | Anonymised usage data | Google servers - EU-US Data Privacy Framework or SCCs |
We do not sell your personal data. We do not share your data with advertisers.
5.3 International transfers
Some of our third-party processors may store or process your data outside the United Kingdom. Where this is the case, we ensure appropriate safeguards are in place - such as Standard Contractual Clauses or an adequacy decision. Details of transfer mechanisms for each processor are available on request at info@hurdlecommunity.co.uk.
5.4 Legal disclosures
We may disclose your personal data to law enforcement, regulators, or other authorities where required by law, or where necessary to protect the safety of our users or the integrity of the Platform.
6. Your Rights
Under UK GDPR you have the following rights in relation to your personal data. You can exercise any of these rights by contacting us at info@hurdlecommunity.co.uk. We will respond within one calendar month.
Right | What it means |
Access | Request a copy of all personal data we hold about you (a Subject Access Request). |
Rectification | Ask us to correct any inaccurate or incomplete personal data. |
Erasure | Ask us to delete your personal data. You can also delete your account directly from the app, which triggers deletion of all associated data within 30 days. |
Restriction of processing | Ask us to pause processing your data while we verify a request or where you have objected. |
Data portability | Request your data in a structured, machine-readable format such as JSON or CSV. |
Object | Object at any time to processing based on legitimate interests — including security monitoring and aggregated analytics. We will stop unless we can show compelling legitimate grounds. |
Withdraw consent | Withdraw consent for any consent-based processing at any time from app settings. Withdrawal does not affect the lawfulness of processing before withdrawal. |
Complain | Lodge a complaint with the Information Commissioner's Office (ICO). See Section 13. |
There is no charge for exercising your rights. We may ask you to verify your identity. We will always respond within one calendar month.
7. Cookies and Analytics
We use Google Analytics to understand how users interact with the Platform in aggregate. Google Analytics is only activated after you give consent through the in-app consent prompt. If you do not consent, Google Analytics will not run and no analytics data will be collected about your session.
You can withdraw consent for analytics at any time from the app settings. Where cookies or tracking technologies are used we will provide a clear notice and management tool in line with PECR.
8. Push Notifications
If you allow push notifications on your device, we use Firebase Cloud Messaging (Google) to deliver notifications about platform activity, task reminders, and event updates. Your device generates a unique push notification token which we store securely and use solely to deliver notifications to your device.
You can disable push notifications at any time through your device settings. Your token is deleted when you log out and within 30 days of account deletion.
9. Automated Decision-Making
In the current version of the Platform, we do not use automated decision-making or profiling that produces legal or similarly significant effects on you. Your profile and onboarding answers are used to personalise your experience and surface relevant content and community members, but no automated decision is made about you without human oversight.
If we introduce AI-powered matching or other automated features in a future version we will update this policy, complete the required Data Protection Impact Assessment, and inform you before any changes take effect.
10. How We Protect Your Data
We implement appropriate technical and organisational measures to protect your personal data. These include:
• Encryption of personal data at rest in our database and file storage.
• Encryption of all data in transit using TLS 1.2 or higher.
• JWT authentication with refresh token rotation to protect your account sessions.
• Role-based access controls limiting who can access personal data within our team.
• Security monitoring and logging to detect and respond to incidents.
• Regular security reviews and an independent penetration test before launch.
• No system is completely secure. If you believe your account has been compromised, please contact us immediately at info@hurdlecommunity.co.uk.
11. Minimum Age
Hurdle is intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you are under 18, please do not use the Platform or provide any personal data to us.
If we become aware that we have collected data from someone under 18 without appropriate consent, we will delete it promptly. Please contact info@hurdlecommunity.co.uk if you have concerns.
12. Changes to This Policy
We may update this Privacy Policy as the Platform evolves or as data protection law changes. If we make material changes, we will notify you by email and via an in-app notice before the changes take effect. The updated policy will show the new effective date at the top.
If you continue to use the Platform after changes take effect you are confirming that you have read and understood the updated policy.
13. Contact Us and Your Right to Complain
If you have any questions about this Privacy Policy, wish to exercise any of your rights, or have a concern about how we handle your data, please contact our data protection lead:
Name: Nathaniel McAllister — Data Protection Lead |
Email: info@hurdlecommunity.co.uk |
Address: The Smithy, Old Lane, Pulford, Chester, Cheshire |
We will try to resolve any concern you raise. If you are not satisfied with our response you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office |
Website: www.ico.org.uk |
Telephone: 0303 123 1113 |
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF |
