Your work, your privacy.

The short version: your profile is yours. We don't sell it, we don't feed it to AI models, and we collect only what we need to keep HiddenGem working.

Last updated 22 May 2026

HiddenGem is a talent sourcing platform. A place where people build a profile that captures their work history, craft, and projects, so the right people can find them. This Privacy Policy explains what information we collect when you use HiddenGem, how we use it, and the rights you have over it.

HiddenGem is a product of HiddenGem Ltd, a company registered in England and Wales. Throughout this document “HiddenGem”, “we”, “us”, or “our” refers to HiddenGem Ltd. “You” means anyone who visits the site or holds a HiddenGem account.

We aim to comply with the UK GDPR, the EU GDPR, the California Consumer Privacy Act (CCPA/CPRA), and to honour the broader privacy rights of people building careers anywhere in the world. If anything here confuses or concerns you, the contact card is at the bottom.

Who is the data controller

The legal entity responsible for your personal data under UK and EU data protection law is HiddenGem Ltd, a company registered in England and Wales.

Data Controller

HiddenGem Ltd

Registered in England and Wales
Trading as HiddenGem

What we collect

We try to collect as little as possible, and only what's needed to make HiddenGem work. Here's everything:

Account information

Your email address, sign-in identifiers, and session info, handled by our authentication provider (Clerk). If you sign in with a third-party provider, we receive only the basic profile fields that provider sends us. We never see or store your password.

Your profile content

Everything you build into your HiddenGem profile, including work history, projects, portfolio, work preferences, and any text you write. This is the heart of HiddenGem and it belongs to you.

Technical data

Basic log data your browser sends us: IP address, browser type, pages visited, and timestamps. We keep this for a short window to diagnose problems and spot abuse.

What we don't collect: we don't track you across other websites, we don't use advertising cookies, we don't fingerprint your device, and we don't ask for personal details that aren't useful to the platform.

How we use it

We use the information we collect to:

Run the service. Build and serve your profile, power discovery, keep your account secure.
Generate your resume. Pull from your profile to build resumes you can download in light or dark mode, every time freshly assembled.
Keep things working. Fix bugs, prevent spam and abuse, and improve features based on what's actually being used.
Talk to you when we must. Important account notices, security alerts, or material changes to this policy. No marketing spam.
Meet legal obligations. Respond to lawful requests, resolve disputes, and enforce our terms.

The part we care most about

Talent is not a commodity.

HiddenGem exists because we think people building careers deserve better than keyword soup and spam. That belief is the foundation of how we treat your data, and the four promises below are non-negotiable.

No selling profiles

We do not sell, license, or transfer your profile data to data brokers or anyone else outside the platform.

No paid ranking

Users cannot pay to surface their profiles or get preferential access.

No AI training

We do not use your work, your portfolio, or anything else on your profile to train AI models.

No silent changes

If we ever need to revisit any of the above, we will tell you first, clearly, with time to leave if you disagree.

Our legal bases for processing

Under the UK GDPR and EU GDPR, we rely on the following lawful bases:

Contract. Running your account, showing your profile in discovery, necessary to deliver the service you signed up for.
Legitimate interests. Basic logging, spam prevention, and security monitoring. We've weighed this against your privacy and kept collection minimal.
Consent. Where we ask for something optional, like making your work preferences visible to others, we only act on it if you say yes. You can withdraw consent at any time.
Legal obligation. When we have to respond to a lawful request from a court or regulator.

Who we share it with

We don't sell your data. We don't rent it. We share personal data only with a small set of infrastructure providers that help us run HiddenGem, each bound by a data processing agreement.

SupabaseDatabase & storage

Stores your profile and all the content you build, including work history, projects, portfolio links, and preferences. Hosted in the European Union. Privacy policy →

VercelHosting

Serves the HiddenGem website and handles basic request logging. Privacy policy →

ClerkAuthentication

Handles sign-in, session management, account security, and the email tied to your account. Does not see your profile content. Privacy policy →

We may also disclose information if required by law or to protect the rights, safety, or property of HiddenGem or its users. If we're ever compelled to hand something over, we will push back where we lawfully can and notify the person affected where we're allowed to.

If we add a new infrastructure vendor, we'll update this list before that vendor starts handling your data.

International data transfers

HiddenGem has a global audience. If you're using HiddenGem from outside the UK or EU, your data will be transferred to and stored on servers located in the European Union (via Supabase) and may be processed by vendors operating in other jurisdictions, including the United States.

When personal data leaves the UK or EEA, we rely on the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or an equivalent safeguard to ensure your data keeps the same level of protection wherever it goes.

How long we keep things

Your account and profile content stick around for as long as your account is active. If you delete your account, we delete your personal data within 30 days, with the exception of:

Backups. Encrypted backups may retain your data for up to 60 days before rotation.
Aggregate analytics. Anonymised, non-identifying usage statistics may be retained indefinitely.

Technical logs are rotated out automatically, typically within 30 days.

How we protect it

We take reasonable technical and organisational measures to protect your data: encryption in transit (TLS), encryption at rest for sensitive fields, hashed passwords (handled by Clerk), access controls on our infrastructure, and audit logging on internal admin tools.

No system is perfectly secure. If we discover a breach affecting your personal data, we will notify the relevant supervisory authority within 72 hours (as UK GDPR requires) and, where the risk is significant, we will notify you directly as soon as we reasonably can.

Your rights

Depending on where you live, you have a set of rights over the personal data we hold about you. We honour these globally where we reasonably can.

a · Access

See what we hold

Ask for a copy of the personal data we hold about you.

b · Rectification

Correct what's wrong

Ask us to correct anything that's wrong or out of date.

c · Erasure

Delete it all

Ask us to delete your account and the data we hold on you.

d · Restriction

Pause processing

Ask us to pause processing while a dispute is being sorted out.

e · Portability

Take it elsewhere

Receive your data in a portable, machine-readable format.

f · Object

Push back

Object to processing based on our legitimate interests.

g · Withdraw consent

Change your mind

Pull back any consent you've given, at any time.

h · Complain

Escalate it

Lodge a complaint with your local data protection authority.

To exercise any of these, write to contact@hiddengem.gg. We'll respond within 30 days with no charge and no need to justify your request.

UK and EU users

In the UK, you can complain to the Information Commissioner's Office at ico.org.uk. In the EEA, contact your local data protection authority.

California users

Under the CCPA and CPRA, California residents have additional rights including the right to know, delete, correct, and opt out of sale or sharing. We don't sell or share personal information as defined by the CCPA. Email us to exercise your rights. We will not discriminate against you for doing so.

Everywhere else

If you're using HiddenGem from outside the UK, EU, or California, you still have these rights with us. Send a note and we'll take care of it.

Minors

HiddenGem is not intended for people under 18. We don't knowingly collect personal data from anyone under that age. If you're a parent or guardian and believe your child has created an account, please get in touch.

Cookies and similar things

We use a small number of cookies to keep you signed in, remember your preferences, and measure basic site performance. We don't use advertising cookies, cross-site trackers, or third-party analytics tools that build profiles on you.

You can block or delete cookies through your browser settings. If you do, some parts of HiddenGem may stop working properly.

Changes to this policy

When we make material changes, we'll notify active users by email or in-app before the change takes effect. If HiddenGem Ltd is ever acquired or restructured, we will tell you before any personal data moves and give you the chance to delete your account first.

Governing law

This policy is governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the English courts, without prejudice to your rights as a consumer under the laws of your own country.

Get in touch

Questions?

Write to us. Emails don't go into a black hole. A real person on the team reads every one.

contact@hiddengem.gg

HiddenGem is a talent sourcing platform.

A product of HiddenGem Ltd, registered in England and Wales.