Privacy Policy

Who we are

AGM Consulting Limited is a company incorporated in Hong Kong SAR (Unique Business Identifier 80172790), with its registered office at Unit B, 11/F, 23 Thomson Road, Wan Chai, Hong Kong SAR, China. AGM is the data controller for the personal data processed through the Platform. For privacy questions or to exercise your rights, contact alex@agm.careers.

How we receive your data

We receive personal data from three sources. First, directly from you when you sign in, complete your profile, sign agreements, upload payment proofs, or take training. Second, from elec.work — the workspace inside which the Platform is embedded — which sends us identity and pipeline-status data over signed webhooks and via single sign-on. Third, from our staff or partner-agency administrators when they record actions on your behalf (for example, manually marking a bank-transfer payment as received).

What personal data we process

Depending on where you are in the candidate journey, we process the following categories of personal data:

• Identity details — full legal name, email address, phone number, country, date of birth, and passport number. Passport numbers are encrypted at the application layer using AES-256-GCM before they reach the database, and are shown masked once saved.
• Authentication signals — argon2id-hashed password (only if you set one), single-use one-time-passcodes (stored hashed and time-limited), magic-link tokens (stored hashed), and two-factor authentication secrets where applicable.
• Session metadata — IP address, user-agent string, and session expiry timestamps. Session cookies are HTTP-only.
• Digital agreement signatures — your typed name or drawn signature SVG, IP address, user-agent, country, region, the timestamp of signing, and per-clause acknowledgments. This is retained as evidence the agreement was signed by you.
• Payment records — installment amounts, currency (EUR), invoice numbers, transaction status, and any bank-transfer proof you upload. The Platform does not currently use a payment gateway; we never see card data.
• Training records — course enrollments, lesson progress, time spent per lesson, quiz attempts, scores, and certificates issued.
• Communications — emails we send you (sign-in codes, magic links, payment receipts, training notifications) and your channel preferences.
• Audit log — actor, action taken, target, IP address, user-agent, and timestamp. This log is retained to meet legal recordkeeping requirements (see Retention).

Why we process it (purposes & lawful basis)

We process your personal data to:

• Provide the Platform to you — sign you in, show your dashboard, deliver training, render and persist your signed agreements, and track your placement progress. (Lawful basis: performance of a contract.)
• Manage the payment lifecycle — issue invoices, record bank transfers, reconcile installments, issue refunds, and produce credit notes where applicable. (Lawful basis: performance of a contract; legal obligation for tax records.)
• Communicate with you about your account — sign-in verification, payment receipts, training updates, certificate issuance. (Lawful basis: performance of a contract; legitimate interest in keeping you informed.)
• Protect the Platform — detect and prevent fraud, abuse, and unauthorised access; investigate suspicious activity. (Lawful basis: legitimate interest.)
• Comply with our legal obligations — recordkeeping, tax, anti-fraud, and regulatory reporting. (Lawful basis: legal obligation.)
• Improve the Platform — fix bugs, monitor reliability, and develop new features. We do this using technical logs and aggregate usage; we do not run third-party analytics. (Lawful basis: legitimate interest.)

Service providers we use

We rely on a small set of vetted service providers ("sub-processors") to operate the Platform. They process personal data on our instructions and under contract:

• Vercel Inc. — hosting, edge networking, and Vercel Blob storage for signed-agreement PDFs, invoices, certificates, your bank-transfer proof uploads, and lesson media.
• Neon (managed Postgres on Vercel) — primary database, encrypted at rest.
• Twilio SendGrid — transactional email delivery (sign-in codes, magic links, payment receipts, notifications).
• ELEC Fleet Technologies (elec.work) — the workspace within which the Platform is embedded. Identity and pipeline-status data flow bidirectionally over signed webhooks and via single sign-on.

Cross-border transfers

Personal data is transferred across borders by design: candidates are typically based in India or Pakistan, AGM is established in Hong Kong, the Romanian placement employers are in the EU, and our hosting infrastructure runs globally on Vercel. Where personal data is transferred outside the EEA / UK, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses with our sub-processors, and we apply equivalent safeguards in line with the Hong Kong Personal Data (Privacy) Ordinance.

How long we keep your data

We keep personal data only for as long as we need it. Specifically:

• Account and profile data — for as long as your account is active. After account closure, we retain a minimal record needed to honour our contracts and to defend or pursue legal claims.
• Signed agreements and signature evidence — at least seven years after signing, for legal and recordkeeping reasons.
• Invoices, transactions, and credit notes — at least seven years, to meet tax and accounting obligations.
• Audit log entries — at least seven years. The actor reference is set to NULL when an account is erased so the log itself remains intact for compliance.
• Session records — auto-expire after thirty days for candidates and after eight hours for administrators (with a 30-minute idle timeout). Expired sessions are pruned.
• One-time-passcodes and magic-link tokens — purged shortly after use or expiry.

How we protect your data

All traffic is encrypted in transit using TLS 1.3. The database is encrypted at rest. Passport numbers are additionally encrypted at the application layer (AES-256-GCM) before being stored. Passwords, where set, are hashed with argon2id; one-time-passcodes and magic-link tokens are stored hashed. Administrator accounts must use two-factor authentication and (for super-administrators) pass an IP allowlist on every authenticated request. We log every state-changing administrative action to a tamper-evident audit log. We do not log request bodies or sensitive field values.

Your rights

Subject to applicable law, you have the right to access the personal data we hold about you, to correct inaccurate data, to ask us to erase your data, to restrict or object to processing, to receive a copy of your data in a portable format, and to withdraw consent where we rely on it. You can exercise most of these rights yourself from the profile page (correction, language and notification preferences). For the others, email us at alex@agm.careers. We will respond within thirty days. See our GDPR page for more detail on what each right means and how to invoke it.

Children

The Platform is not directed to children under 18 and we do not knowingly accept candidates below the age required for lawful work in the destination country. If you believe a minor's data has been submitted to the Platform, contact alex@agm.careers and we will investigate and erase it.

Cookies

We use a small number of strictly-necessary cookies to keep you signed in and to remember your preferred language. We do not load advertising or third-party analytics cookies. See our Cookie Policy for the full list.

Changes to this policy

If we make material changes to this Privacy Policy we will update the "Last updated" date above and, where appropriate, notify you by email or in-app message. Continued use of the Platform after a change indicates your acceptance of the revised policy.

Contact us

Questions, requests, or complaints about this Privacy Policy can be sent to alex@agm.careers, or in writing to AGM Consulting Limited, Unit B, 11/F, 23 Thomson Road, Wan Chai, Hong Kong SAR, China.