Privacy Policy
Last updated: May 2026
1. Who We Are
This Privacy Policy describes how Your Organization collects, uses, and protects personal data processed through the Zephyr platform in connection with J-1 Work and Travel student placement programmes.
Your Organization is the data controller for personal data processed on this platform. The platform is operated on Your Organization's behalf by Synnefo Ltd (see Section 7).
2. What Data We Collect
We process the following categories of personal data:
| Category | Fields | Who |
|---|---|---|
| Identity | Full name, date of birth, gender, nationality | Students |
| Contact | Email address, WhatsApp / phone number | Students, staff |
| Immigration | Passport number, passport expiry, visa type, DS-2019 number, visa appointment date | Students |
| Programme | Programme start/end dates, English proficiency score, placement details, employer name and position | Students |
| Logistics | Arrival flight number, airport, arrival date and time, accommodation assignment | Students |
| Account | Name, email address, role, agency affiliation | Platform users (Your Organization staff, agency employees) |
Student data is provided to Your Organization by sending agencies on behalf of the students they represent. Platform user data is collected directly from users at account creation.
3. Why We Process This Data and Our Legal Basis
| Purpose | Legal Basis |
|---|---|
| Matching students to US host employer job positions | Contractual necessity (J-1 placement contract between agency and Your Organization) |
| Coordinating arrival logistics (flights, accommodation) | Contractual necessity |
| Communicating placement outcomes to sending agencies | Contractual necessity |
| Fulfilling J-1 visa programme regulatory requirements | Legal obligation |
| Maintaining placement records for programme audit and accountability | Legitimate interest |
| Managing platform user accounts and access | Contractual necessity (platform access agreement) |
4. How Long We Keep Your Data
| Data type | Retention period |
|---|---|
| Student records (identity, immigration, placement, arrivals) | 3 years after the end of the programme season, as required for J-1 audit compliance |
| Platform user accounts | Deleted within 30 days of account deactivation |
| Email notification logs | 30 days |
After the retention period, data is permanently deleted from our platform and all sub-processors. We do not archive data beyond these periods.
5. Who We Share Data With
We share personal data only as necessary for the purposes described above:
- US host employers — placement details (student name, position, programme dates) to facilitate the work placement. No immigration or contact data is shared without necessity.
- WISE (J-1 visa sponsor) — programme data required to issue DS-2019 forms. As a federally designated J-1 sponsor, WISE is legally required under 22 CFR Part 62 to report student data to the US Department of State and DHS via the SEVIS system. This reporting is a mandatory condition of J-1 programme participation and cannot be opted out of.
- Sending agencies — placement outcomes and logistics updates relating to their own students only.
- Platform sub-processors — see Section 7.
We do not sell, rent, or trade personal data. We do not use personal data for advertising.
6. Your Rights
Depending on your location and applicable law, you may have the following rights in relation to your personal data:
- Access — request a copy of the data we hold about you
- Rectification — ask us to correct inaccurate data
- Erasure — ask us to delete your data (subject to legal retention obligations)
- Portability — receive your data in a machine-readable format
- Restriction — ask us to pause processing while a dispute is resolved
- Objection — object to processing based on legitimate interest
To exercise any of these rights, contact us using the details in Section 12. We will respond within 30 days. If you are a student, your sending agency may also submit requests on your behalf.
If you are located in the EU/EEA, you also have the right to lodge a complaint with your national data protection authority.
7. Platform Operator and Sub-processors
The Zephyr platform is developed and operated by Synnefo Ltd on Your Organization's behalf under a Data Processing Agreement. Synnefo Ltd processes data only on Your Organization's instructions and may not use the data for any other purpose.
The following sub-processors are used to deliver the platform:
| Provider | Role | Location |
|---|---|---|
| Synnefo Ltd (SC702185) | Platform development and operations | Edinburgh, Scotland, UK |
| Supabase, Inc. | Database hosting and authentication | USA (Virginia) |
| Vercel, Inc. | Application hosting | USA / Global CDN |
| Resend, Inc. | Transactional email notifications | USA |
All data is stored in the United States (AWS Virginia). The platform is operated by Synnefo Ltd, a UK company regulated under the UK GDPR and Data Protection Act 2018. Transfers from the UK or EU are made under the UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses as applicable. Transfers from other jurisdictions are made on the basis of contractual necessity.
8. Cookies and Session Data
Zephyr uses session cookies only — small files stored in your browser that keep you logged in during your session. We do not use advertising cookies, analytics cookies, or any third-party tracking.
Sessions expire automatically after 8 hours of inactivity. You can end your session at any time by signing out.
9. Security
We implement appropriate technical and organisational measures to protect personal data, including:
- Encryption in transit (TLS) and at rest (AES-256)
- Role-based access control — each user sees only the data their role permits
- Agency employees can access only their own agency's student records
- Session timeout after 8 hours of inactivity
- Daily automated database backups
In the event of a data breach affecting your personal data, we will notify affected parties within 72 hours of becoming aware.
10. Governing Law
This Privacy Policy is governed by the laws of the Commonwealth of Virginia, United States. If you are located in the EU/EEA or another jurisdiction with applicable data protection laws, those laws also apply to the processing of your personal data.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top and notify platform users by email if the changes are material. Continued use of the platform after changes constitutes acceptance.
12. Contact
For any questions about this Privacy Policy or to exercise your rights, contact our Data Protection Contact:
Your Organization