GDPR Statement
Last updated: 1 May 2026
Franchise recruitment involves processing the personal data of prospective franchisees. That data is sensitive: financial information, employment history, contact details, sometimes details about family circumstances and personal aspirations. UK GDPR applies in full. Franscale is built to make compliance straightforward — not an afterthought.
This statement explains what Franscale does on the GDPR front, and what you (as a franchisor and our customer) remain responsible for.
1. The data relationship
When you use Franscale to manage your recruitment pipeline, you are the data controller for the personal data of your prospects. Franscale Ltd is the data processor — we process that data on your instructions, in line with the law, and only for the purposes you authorise.
This relationship is formalised in our Data Processing Agreement (DPA), which is part of our terms of service. A standalone copy is available on request from privacy@franscale.co.uk.
2. Data residency
All personal data processed by the Franscale platform is hosted in UK data centres. We do not transfer your data — or your prospects' data — outside the UK. Backups are likewise UK-only. This is a deliberate architectural choice and one of the reasons we exist.
3. Article 15 — right of access
If a prospect asks what data you hold about them, you can produce a complete export from Franscale in one click. The export contains every piece of personal data linked to that prospect: form submissions, notes, emails, scoring history, pipeline movement, and any uploaded documents. The output is human-readable PDF or structured JSON, your choice.
4. Article 17 — right to erasure
If a prospect exercises their right to be forgotten, Franscale provides a structured erasure workflow. Personal data is deleted from the live system. Where data must be retained for a legitimate reason (legal hold, ongoing dispute, statutory obligation), the system records the reason and the retention period — and surfaces the record for review when retention expires.
5. Article 30 — records of processing
Franscale provides a full audit log: every record viewed, every change made, every export taken, every email sent — with user, timestamp, and action. This is the record-of-processing-activities the regulator may ask for, and it's available for export to your DPO at any time.
6. Lawful basis
Franscale doesn't make lawful basis decisions for you — that's a controller responsibility. What we do is help you record it. Every prospect record stores the lawful basis under which they're being processed (typically legitimate interest for outbound recruitment, consent for marketing emails). When the basis changes, the system records the change and the date.
7. Consent management
Marketing consent for franchisee newsletters or campaigns is captured as a structured field on each prospect, with a timestamp and source. Withdrawing consent is one click — and the system enforces it across all outbound channels immediately.
8. Sub-processors
We use a small number of carefully selected sub-processors: our UK hosting provider, our email delivery service, our analytics provider, and our payment processor. The current list is published in the DPA and updated within 30 days of any change. Customers are notified of new sub-processors before they begin processing data.
9. Security
- TLS 1.2+ encryption in transit; AES-256 encryption at rest.
- Role-based access control with least-privilege defaults.
- Two-factor authentication available on every account; required on Enterprise.
- Penetration testing on a regular cadence by an independent UK provider.
- Daily encrypted backups with documented recovery procedures.
- UK-based staff with access to systems on a need-to-know basis.
10. Breach notification
In the event of a personal data breach affecting your account, we will notify you without undue delay and in any case within 72 hours of becoming aware. You remain responsible for onward notification to the ICO and to affected data subjects under Articles 33 and 34, but Franscale will provide all relevant details, root-cause analysis, and remedial-action documentation.
11. What you remain responsible for
- Determining the lawful basis for processing each prospect.
- Providing a privacy notice to prospects at the point of data collection.
- Honouring data subject rights requests within statutory timeframes.
- Maintaining your own record of processing activities.
- Notifying the ICO of breaches that meet the notification threshold.
Franscale gives you the tools. The accountability sits with you, as the controller — that's how the regulation works.
12. Contact
Questions about this statement, or to request a signed copy of the DPA: