OSCABEManaged Remote Employees

Privacy Policy

Version 2026.05Effective 1 May 2026Next review 1 May 2027

1. Who we are and the scope of this notice

OSCABE LTD ("OSCABE", "we", "us") is a private limited company registered in England and Wales (Company No. 15913493) with its registered office at Milton Keynes, United Kingdom. We operate oscabe.com, a remote-engineering platform that matches industrial automation, AI and robotics engineers - primarily based in India and the United Arab Emirates - with clients in the United Kingdom and across the European Economic Area.

For the purposes of the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018 ("DPA 2018") and the EU General Data Protection Regulation 2016/679 ("EU GDPR") we are the data controller for the personal data described in this notice, except where we act as a data processor on behalf of a client (see section 14).

This notice explains what personal data we collect, how we use it, who we share it with, how we protect it, and what rights you have. It is written to comply with Articles 13 and 14 of the UK/EU GDPR and the ICO's transparency guidance.

2. Categories of personal data we collect

From visitors to oscabe.com: IP address (truncated and hashed), device and browser information, pages visited, and anonymised usage events. Analytics cookies are only loaded with your consent (see our Cookie Policy).

From clients: company name, contact name, work email, work phone, billing address, VAT number, payment data (held only by Stripe, our payment processor - we never store full card numbers), engineering brief details, signed contract metadata.

From engineers ("candidates"): name, professional headline, location and timezone, years of experience, skills and platform proficiency, CV, photograph (optional), LinkedIn/GitHub URLs, bank/wallet details for payouts (held by our payout provider), platform-test scores, work history records, client ratings.

From all signed-up users: email address, hashed password (we never see the plaintext), authentication session, IP address at sign-up and at sensitive actions (hashed), consent records with policy version stamps, signed contract records.

From communications: message content exchanged between clients and engineers through the platform, transactional emails we send, support tickets you raise with us.

Special category data (Article 9 UK/EU GDPR): we do not routinely process special category data. Engineers may voluntarily disclose health-related information when requesting a reasonable adjustment for a platform test; that data is processed under the substantial public interest condition (Schedule 1 Part 2 paragraph 8 DPA 2018) governed by our internal Appropriate Policy Document, and is deleted within 12 months of the adjustment.

3. Why we use your data - lawful bases (UK GDPR Article 6)

| Purpose | Lawful basis | | --- | --- | | Operating your account and providing the platform | Performance of a contract - Art 6(1)(b) | | Matching clients with engineers via our AI engineering advisor | Performance of a contract - Art 6(1)(b); explicit consent for any solely-automated decisions (Art 22) | | Verifying engineer credentials (CE verification) | Legitimate interests - Art 6(1)(f) - ensuring quality of matched professionals | | Issuing and collecting invoices, processing payouts | Performance of a contract - Art 6(1)(b); legal obligation for tax records - Art 6(1)(c) | | Sending transactional email (account, billing, timesheet) | Performance of a contract - Art 6(1)(b) | | Sending marketing email | Consent - Art 6(1)(a). You can withdraw at any time using the unsubscribe link | | Fraud prevention, security monitoring | Legitimate interests - Art 6(1)(f) - protecting users and platform integrity | | Complying with UK / EU regulatory obligations | Legal obligation - Art 6(1)(c) | | Statistical analytics (only after cookie consent or under PECR statistical-purposes exemption) | Consent or legitimate interests with opt-out |

We carried out a Legitimate Interests Assessment for every Art 6(1)(f) basis cited above. You can request a summary by emailing info@oscabe.com.

4. AI matching and Article 22 ()

Our AI engineering advisor, uses a large language model accessed via OpenRouter to suggest a shortlist of CE-verified engineers in response to a client brief. Its suggestions are advisory only and are not the basis of any solely-automated decision that produces legal or similarly significant effects on either clients or engineers:

  • Engineers always go through human CE verification by a Chartered Engineer before becoming publicly matchable.
  • Clients select their own engineers from the AI shortlist; we do not auto-place anyone.
  • Engineers can request human review of any matching outcome, express their point of view, and contest the matching logic by emailing info@oscabe.com.

Where The advisor's logic would otherwise fall within Article 22, processing is carried out only with the engineer's explicit consent, captured at signup and revocable in the engineer portal at any time.

5. International transfers

OSCABE's engineers are predominantly based in India and the United Arab Emirates, neither of which is currently the subject of a UK adequacy decision. We rely on the following safeguards under Chapter V of the UK GDPR / EU GDPR:

  • The UK International Data Transfer Agreement (IDTA) with all engineer entities and our India- and UAE-based service providers.
  • The EU Standard Contractual Clauses (SCC) Module 2 / 3 with our European clients and processors.
  • A Transfer Risk Assessment (TRA) completed in line with the ICO's January 2026 updated guidance and the 5 February 2026 "not materially lower" standard introduced by the Data (Use and Access) Act 2025.
  • Supplementary measures including end-to-end TLS, encryption-at-rest, role-based access controls, and a contractual obligation to notify us of any law-enforcement requests.

You can request a copy of our current TRA summary and IDTA template by emailing info@oscabe.com.

6. Who we share your data with

We share personal data only where necessary to operate the platform. Our current sub-processors are listed publicly at Sub-processors. At a high level we use:

  • Hosting / database: Hostinger (United Kingdom region) and PostgreSQL.
  • Email: Resend (EU region).
  • Billing: Stripe (UK / EU).
  • Payouts to engineers: Wise or local bank transfer.
  • AI inference for the AI advisor: OpenRouter (which routes prompts to Anthropic's Claude models). No prompts containing personal data of engineers are sent without a CE-verified engineer's consent.
  • Analytics: Google Analytics 4 with IP anonymisation, loaded only after consent.

We do not sell personal data and we do not share it with advertising networks.

7. How long we keep your data - retention schedule

| Category | Retention | | --- | --- | | Active client / engineer account data | Lifetime of the account | | Closed-account profile data | 6 years from closure (UK Limitation Act + HMRC tax records) | | Signed contracts, invoices, payment records | 7 years (UK Companies Act / VAT requirements) | | Server logs (IP, request) | 90 days | | Cookie consent records | 24 months from last refresh | | Marketing consent records | 6 years from withdrawal | | Backup snapshots | 35 days | | AI chat sessions | 12 months unless the user requests earlier deletion |

The full retention schedule is at Data Retention.

8. Your rights

Under UK and EU GDPR you have the right to:

  • Access the personal data we hold about you (Art 15)
  • Rectification of inaccurate data (Art 16)
  • Erasure ("right to be forgotten" - Art 17) subject to legal-retention overrides
  • Restriction of processing (Art 18)
  • Portability of data you provided to us in a structured, machine-readable format (Art 20)
  • Object to processing carried out under legitimate interests (Art 21)
  • Withdraw consent at any time, where processing relies on consent
  • Not be subject to a solely-automated decision with legal or similarly significant effects (Art 22)
  • Lodge a complaint with the ICO (ico.org.uk) or your local EU supervisory authority

We respond to all requests within one calendar month. Where a request is particularly complex, we may extend this by two further months and will tell you within the first month. Requests are free of charge unless they are manifestly unfounded or excessive.

To exercise any right, email info@oscabe.com or use the "Download my data" / "Request deletion" buttons in your profile.

9. Security

We apply technical and organisational measures appropriate to the risk under Art 32 UK GDPR:

  • TLS 1.2+ in transit, AES-256 at rest.
  • Bcrypt password hashing (cost 12).
  • Role-based access control with the principle of least privilege.
  • Multi-factor authentication on administrative accounts.
  • Centralised logging and intrusion detection.
  • Annual penetration test by an independent third party.
  • ISO 9001:2015 certified quality management system.
  • Personal-data-impact assessments (DPIA) for material new processing.

10. Breach notification

If we suffer a personal data breach that is likely to result in a risk to your rights and freedoms we will notify the ICO within 72 hours and, where the risk is high, notify affected individuals without undue delay. See Breach Notification Policy.

11. Children

OSCABE is a business platform. We do not knowingly process the personal data of anyone under 18.

12. Cookies

See our Cookie Policy. Following the Data (Use and Access) Act 2025 (in force 5 February 2026), strictly-necessary cookies and a narrow class of statistical-purposes cookies are loaded without prior consent. All other cookies - including marketing and cross-site analytics - load only after you click "Accept all" with equal-prominence "Reject all" on our consent banner.

13. Data Protection Officer

OSCABE is not legally required to appoint a Data Protection Officer under Art 37 UK GDPR. We nonetheless designate a Data Protection Lead - currently the CEO - reachable at info@oscabe.com.

14. When we are a processor, not a controller

When a client uses OSCABE to engage an engineer, the client is the controller of any personal data they instruct us to process on their behalf (for example, internal contacts they introduce to the engineer). OSCABE acts as processor in that scenario. The full processor obligations are set out in our Data Processing Agreement, which is incorporated by reference into every client engagement and which satisfies Art 28(3) UK GDPR.

15. Changes to this notice

We will publish a new version of this notice whenever it changes materially, bump the version number at the top of the page, and notify signed-in users by email or in-app banner. Continued use after the notice date constitutes acceptance.

16. Contact

Postal: OSCABE LTD, Milton Keynes, United Kingdom Email: info@oscabe.com ICO complaints: ico.org.uk/make-a-complaint