Yay Monday – Privacy Notice
Last updated: January 2026 · Contact: [email protected] · Entity: Yay Monday (UK-based) · Jurisdiction: United Kingdom
1. Introduction
This Privacy Notice explains how Yay Monday ("we", "us", or "our") collects, uses, and protects personal information. We provide an online platform that allows employers to manage job vacancies and receive applications. We handle data in line with the UK GDPR and the Data Protection Act 2018. This notice applies to both employers using Yay Monday and applicants submitting applications through the platform.
2. Our role under data protection law
- For employer account data (account, billing, login), Yay Monday is the Data Controller.
- For applicant data (CVs, cover letters, contact details), Yay Monday is a Data Processor acting on behalf of the employer (the Data Controller).
3. Information we collect
From employers/business users: business contact details, account credentials, billing information (processed via Stripe), and usage data (e.g., vacancy posts, credits used).
From applicants: personal details (name, email, phone, postcode), uploaded documents (CV, cover letter), and any information provided in the application.
We also log basic technical data (e.g., IP address, browser type) for security and performance monitoring.
4. How we use the information
For employers: create and manage accounts, process payments, deliver and support the platform, send service and billing communications, detect and prevent fraud or misuse, and maintain security.
For applicants: deliver your application securely to the employer, store your application on behalf of that employer, provide a secure environment for review, and assist with lawful data management and deletion.
We do not use applicant data for marketing, analytics, or profiling.
5. Lawful bases for processing
- Contract: necessary to provide the service to employers (Data Controllers).
- Consent: applicants submitting data for recruitment purposes.
- Legal obligation: accounting, fraud prevention, and data protection compliance.
- Legitimate interests: maintaining and securing the platform, preventing abuse, and improving services.
6. Data sharing
- Stripe: for secure payment processing (employer billing only).
- DigitalOcean: hosting and operating our servers and databases.
- Postmark (ActiveCampaign): sending transactional and notification emails securely on our behalf.
We do not sell or share data with third parties for marketing purposes. If a vacancy is suspected to be fraudulent, we may share relevant information with affected applicants or lawful authorities.
7. Data retention
Employers: account and billing data is kept for up to 6 years for accounting and legal purposes.
Applicants: application data is stored while the vacancy is active. The employer determines how long applicant data is retained. Once a vacancy expires, data may be kept up to 30 days for export before deletion. Yay Monday may not retain applications beyond the vacancy's active or export period. Applicants may request deletion sooner via the employer.
8. Data location and security
Data is stored in the UK or within the EEA with appropriate technical and organisational safeguards. We use encryption, secure hosting, access controls, and data minimisation to protect your information.
9. Your rights
- Access, correction, deletion, portability, and restriction/objection.
- Applicants should contact the employer (Data Controller) to exercise these rights. For employer account data, contact [email protected].
10. Fraud prevention
If an account or vacancy is found to be fraudulent or impersonating another organisation, Yay Monday may suspend or ban the account, withhold associated credits, payments, or data, notify affected applicants, and report the activity to relevant authorities. Applicants can report suspected fraudulent vacancies directly to Yay Monday for investigation.
11. Changes to this notice
We may update this notice from time to time. Updates will be posted on our website with a revised “last updated” date. Continued use of the service after an update means you accept the changes.
12. Contact
Questions about this Privacy Notice or your data: [email protected]. You can also contact the Information Commissioner's Office (ICO).
Appendix – Data Processing Summary
This summary outlines how Yay Monday processes personal data on behalf of employers in line with Article 28 of the UK GDPR.
| Category | Details |
|---|---|
| Data Processor | Yay Monday (sole trader, UK-based) |
| Data Controller | The employer or business user who posts a vacancy |
| Purpose of Processing | Provide a secure system for managing vacancies and processing applications |
| Nature of Processing | Collection, storage, transmission, and deletion of applicant data submitted through the platform |
| Types of Personal Data | Applicant name, email address, phone number, postcode, CV, cover letter, and other information provided |
| Categories of Data Subjects | Job applicants applying to vacancies hosted on Yay Monday |
| Duration of Processing | While the employer account is active, and up to 30 days after a vacancy expires for export; applicants may request deletion sooner via the employer. |
| Sub-Processors | Hosting (DigitalOcean), email delivery (Postmark), billing (Stripe) – see above for details |
| International Transfers | Data stored within the UK or EEA; Postmark (USA) under the UK–US Data Privacy Framework |
| Security Measures | Encryption in transit and at rest, secure hosting, access control, data minimisation, 30-day deletion grace on account closure |
| Data Deletion | Automatic deletion of applicant data after retention period; permanent deletion within 30 days of account closure |
| Breach Notification | Yay Monday will notify the controller without undue delay if a personal-data breach is identified |
| Contact for Data Issues | [email protected] |
| DigitalOcean | Hosting and infrastructure provider for servers and databases (UK/EEA). Standard Contractual Clauses applied where applicable. |
| Postmark (ActiveCampaign LLC) | Transactional and notification email delivery (USA) under the UK–US Data Privacy Framework |