Legal · Last updated 7 July 2026
Data Protection & Privacy
This page explains how Two Circles Live Production Crew ("we", "us") collects, uses, stores and protects personal data submitted through the freelance crew application platform, in line with the EU General Data Protection Regulation (Regulation (EU) 2016/679) and applicable national implementations.
1. Data controller
Two Circles Live Production Crew is the data controller for personal data collected through this site. For any privacy request, contact us at the address shown in the footer.
2. What we collect
- Identity & contact: full name, email, phone, preferred contact channel.
- Location & mobility: country, city, home airport, travel radius, willingness to travel internationally.
- Professional profile: roles, sports, languages, English level, years of experience, credits, references, showreel and CV.
- Commercial data: day / half-day rates, notice period, overtime policy.
- Consent records: GDPR consent, terms acceptance, marketing opt-in, timestamps.
- Operational metadata: submission timestamps, email-verification timestamp, list-activity confirmations, admin status changes and internal notes.
3. Purpose and legal basis
- Contract / pre-contract (Art. 6(1)(b) GDPR): evaluating your application, contacting you about live broadcast productions, and managing engagements.
- Legitimate interests (Art. 6(1)(f) GDPR): maintaining a curated crew roster, internal QA notes, fraud / spam prevention, audit trail of admin actions and outreach.
- Consent (Art. 6(1)(a) GDPR): optional marketing communication and the periodic list-activity confirmation email. Consent can be withdrawn at any time without affecting prior processing.
- Legal obligation (Art. 6(1)(c) GDPR): retaining records required by tax, accounting or employment law when we engage you.
4. Retention
- Active roster records are kept while the profile remains active.
- If a profile stays unconfirmed after two consecutive activity-confirmation emails, the record is archived and deleted within 24 months of the last interaction.
- Rejected or withdrawn applications: deleted within 12 months.
- Audit logs (status changes, outreach campaigns) are retained for up to 36 months for accountability.
- Records tied to a paid engagement follow statutory retention (typically up to 10 years for accounting).
5. Security measures
- Data is stored in EU-hosted managed Postgres with encryption in transit (TLS) and at rest.
- Row-Level Security policies restrict access to authenticated administrators; freelancer records are never publicly readable.
- Admin access is invitation-only, role-based, and logged.
- CVs are stored in a private object bucket accessible only through short-lived signed URLs.
- Anti-spam controls (honeypot, timing, arithmetic challenge) protect the public application form.
- Passwords are handled exclusively by the managed auth provider; we never store plaintext credentials.
6. Subprocessors
We use a small number of GDPR-compliant subprocessors, each under a Data Processing Agreement:
- Managed database, auth and object storage (EU region).
- Transactional email delivery for verification, activity confirmation and outreach.
- Application hosting on an EU / global edge network.
We do not sell personal data and do not use it for automated decision-making with legal effect.
7. International transfers
Where a subprocessor operates outside the EEA, transfers rely on Standard Contractual Clauses (Art. 46 GDPR) and additional safeguards where necessary.
8. Your rights
Under GDPR you have the right to:
- Access the personal data we hold about you (Art. 15).
- Rectify inaccurate or incomplete data (Art. 16).
- Request erasure ("right to be forgotten", Art. 17).
- Restrict or object to processing (Art. 18 & 21).
- Data portability in a machine-readable format (Art. 20).
- Withdraw consent at any time (Art. 7(3)).
- Lodge a complaint with your local supervisory authority (Art. 77).
Requests are handled within 30 days. Contact us via the address in the footer.
9. Data breach notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and affected individuals without undue delay, in accordance with Art. 33 and 34 GDPR.
10. Changes to this notice
We update this page when our data practices change. The "last updated" date at the top reflects the current version.
