Privacy Policy

LUSSO STAFF LIMITED ("Lusso Staff", "we", "us" or "our") is the data controller responsible for your personal data. We are a company registered in England and Wales under company number 16756433, with our registered office at 21–24 Millbank, Millbank Tower, 7th Floor, Office 7.11, London, England, SW1P 4QP.

This policy explains how we collect, use, share and protect your personal data when you use our website, register as a candidate or client, apply for work, or otherwise interact with us. We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

For any privacy question or to exercise your rights, contact us at hello@lussostaff.com.

The data we collect depends on how you interact with us. For candidates who complete our registration, this is extensive because of the regulatory checks involved in placing hospitality staff.

Identity and contact data

• Full name, date of birth, gender and nationality;
• Email address, phone number, and current and previous home addresses (including move-in/move-out dates);
• Emergency contact details, where provided.

Right-to-work and identity documents

• Passport, Biometric Residence Permit (BRP), national ID and/or birth certificate details and document images;
• National Insurance number;
• Immigration / work-permission status and any history of changes to your nationality or surname.

Special-category and criminal-offence data

Because of the nature of the roles we place, we may collect data that UK GDPR treats as requiring extra protection:

• Health information — whether you have any health conditions, disabilities or require reasonable adjustments (special-category data under Article 9 UK GDPR);
• Criminal-offence data — declarations of unspent/relevant convictions and the results of DBS (Disclosure and Barring Service) checks where a role requires them (Article 10 UK GDPR).

Employment, suitability and financial data

• Employment history (current and previous employers, roles, dates and duties);
• References and details of any previous agencies you have worked through;
• Licences and certifications (e.g. driving licence, SIA licence, food-safety certification);
• Availability and preferred working hours, shift types and roles of interest;
• Your CV and any documents you upload;
• Bank details for payment — bank name, account holder name, sort code and account number.

Client and enquiry data

• For clients: business and contact details, booking requirements, and billing/invoicing information;
• For general enquiries and applications via our website: the name, contact details, message and any CV you submit.

Technical and usage data

• Device, browser and IP information, and how you use our website, collected through cookies and similar technologies (see our Cookie Policy);
• Records of your communications with us.

• Directly from you — when you register, apply, upload documents, contact us, or use our services;
• Automatically — through cookies and similar technologies when you use our website;
• From third parties — such as referees you nominate, the DBS, right-to-work verification providers, and your previous employers/agencies.

Under UK GDPR we must have a lawful basis for processing your personal data. We rely on the following:

• Performance of a contract — to register you, manage assignments and placements, arrange payment, and provide our services to candidates and clients.
• Legal obligation — to verify your right to work in the UK, to carry out role-required checks, and to meet tax, National Insurance, employment, health-and-safety and record-keeping duties.
• Legitimate interests — to match candidates to suitable roles, to operate, secure and improve our website and services, to keep records, and to prevent fraud and misuse, provided your interests and rights do not override these.
• Consent — to share your CV, profile and references with prospective clients, to send certain marketing communications, and to set non-essential cookies. You can withdraw consent at any time.

Special-category (health) data

Where we process health data, we rely in addition on an Article 9 condition — generally that processing is necessary for the purposes of carrying out our obligations and exercising rights in the field of employment and social security, together with the associated condition in Schedule 1 to the Data Protection Act 2018, for which we maintain an appropriate policy document. Where required, we rely on your explicit consent.

Criminal-offence (DBS) data

We process criminal-offence data only where the role requires it and where we are permitted to do so under Article 10 UK GDPR and the relevant condition in Schedule 1 to the Data Protection Act 2018 (for example, for the prevention or detection of unlawful acts and for assessing suitability for employment).

We may use tools that help us match candidates to suitable roles based on the information you provide. These tools support our consultants but do not make decisions that produce legal or similarly significant effects about you without human involvement. If this changes, we will update this policy and tell you about your rights.

We share personal data only where necessary, with:

• Clients (prospective employers) — where you have consented, we share your CV, profile and references so they can consider you for work.
• Service providers (processors) acting on our instructions, including: cloud and file storage for documents and CVs (Vercel Blob), email delivery (Resend), real-time messaging (Pusher), website analytics (Google Analytics), mapping/address lookup (Google Maps), push notifications (Firebase), and our database/hosting providers.
• Verification and compliance providers — such as right-to-work checking services and the DBS, and the referees you nominate.
• Professional advisers and authorities — such as our accountants, insurers and legal advisers, and HMRC, regulators, or law-enforcement bodies where required or permitted by law (including to prevent or detect crime or protect public funds).

We do not sell your personal data. Where providers act as processors, they are bound by contract to process your data only on our instructions and to keep it secure.

Some of our service providers (for example Google and Firebase) may process data outside the UK. Where we transfer personal data outside the UK, we ensure an appropriate safeguard is in place — such as an adequacy decision, the International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses — so that your data continues to receive an equivalent level of protection.

We keep your personal data only for as long as necessary for the purposes set out in this policy, including to meet legal, accounting, tax and regulatory requirements. Retention periods vary by data type — for example, payroll and tax records are generally kept for at least six years, while candidate records are kept for the duration of our relationship and for a reasonable period afterwards so we can consider you for future roles, unless you ask us to delete them sooner. When data is no longer needed, we securely delete or anonymise it.

Under UK data protection law, you have the right to:

• be informed about how we use your data (this policy);
• access a copy of the personal data we hold about you;
• have inaccurate or incomplete data corrected;
• have your data erased in certain circumstances;
• restrict or object to our processing in certain circumstances;
• data portability — to receive certain data in a portable format; and
• withdraw consent at any time, where we rely on consent (this does not affect processing carried out before withdrawal).

To exercise any of these rights, contact us at hello@lussostaff.com. We will respond within one month. We may need to verify your identity first. Exercising your rights is free of charge in most cases.

We use cookies and similar technologies on our website. Please see our Cookie Policy for details and to manage your preferences.

We use appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, misuse or alteration, including access controls, encryption in transit, and restricting access to those who need it. No system is completely secure, but we work to keep your data safe and will notify you and the ICO of any breach where we are legally required to do so.

We may update this Privacy Policy from time to time. We will revise the "Last updated" date above and, where changes are significant, take reasonable steps to notify you.

If you have any concerns about how we handle your personal data, please contact us first at hello@lussostaff.com so we can try to resolve it.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection, at ico.org.uk/make-a-complaint or by calling 0303 123 1113.