UK GDPR & DATA PROTECTION POLICY

JNX Technology Ltd (trading as InstaCrew)

Last updated: 11/01/2026

1. Purpose and Regulatory Framework

This UK GDPR & Data Protection Policy documents the measures implemented by JNX Technology Ltd, trading as InstaCrew, to ensure compliance with the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.

This Policy is intended to demonstrate accountability, transparency, and lawful processing in accordance with ICO guidance and applies to all personal data processed through the InstaCrew platform.

2. Data Controller and Processor Status

For the purposes of UK data protection legislation:

• JNX Technology Ltd trading as InstaCrew acts as Data Controller where it determines the purposes and means of processing personal data; and

• acts as Data Processor where it processes personal data strictly on the documented instructions of Businesses using the Platform.

These roles are assessed per processing activity and documented internally.

3. Categories of Personal Data Collected and Processed

JNX Technology Ltd processes the following categories of personal data through the InstaCrew platform:

3.1 Identity and Right-to-Work Data

• Full legal name

• Date of birth

• Passport details

• Driving licence details

• Government-issued legal identification

• UK Home Office share codes (where provided)

This data is collected solely for identity verification and right-to-work compliance purposes and is not used for automated decision-making.

3.2 Contact and Account Data

• Email address

• Telephone number

• Residential address (where provided)

• Account credentials (stored in encrypted or hashed form)

3.3 Work and Platform Usage Data

• Availability and shift history

• Engagement records

• Ratings, reviews, and feedback

• Platform communications

3.4 Technical and Usage Data

• IP address

• Device identifiers

• Browser type and operating system

• Login timestamps and activity logs

3.5 Financial and Transaction Metadata

• Payment status indicators

• Transaction references

• Invoicing and platform fee records

Important: Payment card details are never stored by JNX Technology Ltd.

4. Lawful Bases for Processing

Processing activities are conducted only where a lawful basis exists under Article 6 UK GDPR, including:

• Performance of a contract – to operate and provide the Platform

• Legal obligation – including right-to-work and regulatory compliance

• Legitimate interests – to ensure platform security, integrity, and fraud prevention

• Consent – where required for optional processing activities

Lawful basis determinations are recorded and reviewed periodically.

5. Hosting, Infrastructure, and Data Storage

The InstaCrew platform is hosted using a combination of:

• Microsoft Azure cloud infrastructure; and

• Google Firebase services (including authentication, messaging, and application services).

Data is hosted primarily within UK and/or EEA data centres, as configured by JNX Technology Ltd. Access to production systems is restricted to authorised personnel and monitored.

JNX Technology Ltd remains responsible for compliance irrespective of the infrastructure used.

6. Third-Party Service Providers

JNX Technology Ltd uses carefully selected third-party service providers to support Platform functionality, including:

• cloud hosting and infrastructure providers (e.g. Microsoft Azure);

• application services and authentication (e.g. Firebase);

• payment facilitation services (e.g. Stripe);

• analytics, monitoring, and customer support tools.

Where such providers process personal data, they do so under written contractual terms incorporating UK GDPR-compliant data protection obligations.

7. Payment Processing (Stripe)

Payments facilitated via the Platform are processed by Stripe or Stripe-affiliated entities.

• Stripe acts as an independent data controller for payment card information.

• JNX Technology Ltd receives only limited transaction metadata necessary for reconciliation and record-keeping.

• JNX Technology Ltd does not store or process full cardholder data and does not have access to payment card numbers.

8. International Data Transfers

JNX Technology Ltd does not intentionally transfer personal data outside the United Kingdom.

Where third-party providers may process data from locations outside the UK, JNX Technology Ltd ensures that appropriate safeguards are in place, including adequacy decisions or approved contractual protections, in accordance with UK GDPR requirements.

9. Data Security Measures

Appropriate technical and organisational measures are implemented to safeguard personal data, including:

• encryption of data in transit and at rest where appropriate;

• role-based access controls;

• logging and monitoring of system access;

• regular security reviews and updates.

10. Data Retention and Deletion

Personal data is retained only for as long as necessary to fulfil the purposes for which it was collected, including legal, regulatory, and audit obligations.

Where retention is no longer required, data is securely deleted or anonymised.

11. Data Deletion Requests

Individuals may request deletion of their personal data by submitting a written request to:

📧 info@jnxtechnology.co.uk

Requests will be:

• verified to confirm identity;

• assessed against legal retention requirements;

• actioned within statutory timeframes.

Where deletion cannot be completed due to legal obligations, the individual will be informed accordingly.

12. Data Subject Rights

Individuals have rights under UK GDPR, including the right to:

• access personal data;

• request rectification;

• request erasure;

• restrict or object to processing;

• request data portability.

All requests are logged and handled in accordance with statutory requirements.

13. Personal Data Breach Management

JNX Technology Ltd maintains a documented incident response procedure to identify, investigate, and contain personal data breaches.

In the event of a breach:

1. The matter must be reported internally to JNX Technology Ltd immediately;

2. A risk assessment will be conducted without undue delay;

3. Where required by law, the Information Commissioner’s Office (ICO) will be notified within 72 hours;

4. Affected individuals will be notified where there is a high risk to their rights and freedoms.

All incidents are recorded for accountability purposes.

14. Accountability and Governance

To demonstrate compliance, JNX Technology Ltd maintains:

• records of processing activities;

• data protection risk assessments;

• processor agreements;

• staff training records;

• internal policies and procedures.

15. Training and Confidentiality

All personnel with access to personal data are subject to confidentiality obligations and receive appropriate data protection training.

16. Policy Review

This Policy is reviewed periodically and updated to reflect changes in law, technology, regulatory guidance, or business operations.